Introduction
In many cases, penetration testing – an ethical engagement designed for identification and addressing of security vulnerabilities in systems, applications and networks, is required. Sometimes this requirement is directly specified while in other cases it’s implied by a need to build, audit or assess processes to mitigate cyber risk.
This blog identifies just some of the more common pen testing standards and regulations. Note that specific industries often have their own security standards and processes that may overlap or pull directly from some of the standards listed here.
GDPR
This regulation impacts almost all organisations which operate in European markets is the General Data Protection Regulation (GDPR). In the UK, the GDPR’s requirements are held in the Data Protection Act 2018 (DPA 2018) which ensures they remain in place post withdrawal from the EU.
The GDPR covers all sectors of data protection, amongst its many requirements is the need for organisations to handle personal data, aiming to improve information security, governance and GDPR compliance.
GDPR Article 32 specifically requires organisations to implement ‘A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of data processing’.
In online guidance, the Information Commissioner’s Office (ICO), an authority responsible for upholding data protection in the UK, recommends that organisations conduct regular GDPR-compliant penetration tests and vulnerability scans on a regular basis, crucially, ensuring they address any risks identified. Given the GDPR’s focus on personal information, organisations need to clearly organize where this data is stored, handled and processed to work out where testing is required.
Redscan advises that GDPR penetration testing should be conducted annually on internal and external infrastructure. Web application testing should also be carried out if the applications in question such as email, payroll and CRM systems handle any personal data.
ISO 27001
ISO 27001, part of the ISO/IEC series of standards, is an international information security standard that outlines a framework of controls for Information Security Management Systems (ISMS). To get certified, organisations are required to build a suite of security controls to identify and address security risks across their networks and ensure they can meet adapting security requirements over time.
ISO 27001 requires organisations to apply controls in line with their own specific security risks. This means that no set of controls is mandatory, but the standard does outline a list of best practice recommendations that should be considered.
Objective A.12.6.1 of ISO 27001 states that information about technical security vulnerabilities should be obtained as soon as reasonably possible, exposure to these vulnerabilities should be evaluated and considered measures taken to address the associated risks.
Penetration testing is useful at multiple stages of an ISMS project, so organisations typically look for a flexible ISO 27001 penetration testing provider that can tailor assessments to their specific security risks within their networks in order to meet bespoke requirements. ISO pen tests can be performed as part of the risk assessment process is where risks can be identified and analysed and the risk treatment plan covers where controls and installed and tested or the continual improvement process.
PCI DSS
The Payment Card Industry Data Security Standard (PCI DSS) is a minimum set of requirements designed to help a business protect customer cardholder data. All organisations accepting or processing online card payments are required to undertake annual PCI security audits to ensure compliance.
Requirement 11 of PCI DSS 3.2 specifically requires the performance of regular penetration testing. Organisations that fall within the scope of PCI DSS must perform internal and external penetration testing at least annually, or after any notable or major changes to infrastructure.
PCI DSS penetration testing must include infrastructure assessments and applications across the cardholder data environment (CDE), from both internal and external networks of an organisation. Businesses should look for a PCI pen test provider that can help to identify any issues such as unsafe configurations, coding vulnerabilities, encryption flaws and poor access controls.
NIS Directive & Regulations
The Network and Information Systems Directive, more commonly known as the NIS Directive, or NIS Regulations in the UK, is pan-EU legislation designed to improve the security and resilience of critical infrastructure and services.
The NIS Directive applies to Operators of Essential Services (OES) like energy, transport, utilities and healthcare providers, as well as Relevant Digital Service Providers (RDSP) including online marketplaces, cloud computing services and online search agencies.
There is no specific requirement within the NIS Directive or NIS Regulations that mandates penetration testing, but for organisations to effectively manage security risk and protect against cyber-attacks, as specified under the conditions of Objectives A and B, processes enabling auditing, testing, assessment, inspection and verification are essential to compliance.
In the ICO’s guide to NIS compliance, similarities are drawn with the requirements of data controllers under the GDPR. While the NIS Directive does not go into the same depth on the specifics of testing, RDSPs and OESs would be best advised to follow similar testing procedures and regulations as they do for the GDPR.
NHS DSP Toolkit
The Data Security and Protection Toolkit (DSP Toolkit) is an online self-assessment tool that helps organisations in the UK healthcare sector benchmark their security against the National Data Guardian’s Data Security (NDG) Standards. NDG Standards apply to all organisations handling health and social care information.
NDG Standard dictates that a strategy must be in place to protect IT systems from cyber threats. This requires at least an annual penetration test, covering critical network infrastructure and web services.
NHS Digital guidance recommends that organisations tread carefully when scoping a test to prevent any adverse effects on assets being assessed. It’s also recommended that organisations look for a provider that can analyse their risk landscape holistically and identify top data security risks in line with requirement 9.4.3.
SWIFT CSP
The SWIFT Customer Security Programme (CSP) is a framework designed to help improve security on the SWIFT interbank communications system, as well as financial institutions that rely on SWIFT for sending and receiving information about financial transactions.
This CSP contains a range of advisory as well as mandatory controls designed to aid organisations in securing their environment, track and limit access to threats as well as detecting and responding to threats. Principle 2 of the CSP requires organisations to reduce their attack surface where possible and manage any vulnerabilities in a timely and compliant manner.
While the programme was initially designed to require a self-attestation of compliance, a recent update means it now requires an independent assessment providing evidence of the effectiveness, design and implementation of security controls.
The new testing requirements under SWIFT CSP v2020 are still in relatively new in comparison to other frameworks and compliance standards, however since 2021, SWIFT has analysed these assessments, requested additional evidence of compliance and shared results with third parties.
TOGAF
The Open Group Architecture Framework (TOGAF) is a widely used framework for enterprise architecture (EA) development. This methodology provides a comprehensive approach for designing, planning, implementing, and governing enterprise information technology (IT) architectures.
TOGAFs key aspects include its architecture development method (ADM) that consists of a series of phases, each focusing on different aspects of architecture development like visioning, planning, designing, implementing and governing.
Another major feature is the Enterprise Continuum, a repository of architectural assets providing a structured, security-centric approach to organising and reusing architecture components, patterns and solutions.
While TOGAF does not explicitly mandate or mention penetration testing, organizations can incorporate penetration testing into their overall enterprise architecture practices as part of a comprehensive approach to managing security risks and ensuring the robustness of their architectures.
Overall, TOGAF provides a structured and systematic approach to developing enterprise architectures, aligning business goals with IT strategies, and managing architectural complexity and change within organizations.