Does SOC 2 Require Penetration Testing?

Does SOC 2 require penetration testing or vulnerability scanning? This is a great question and one that we get asked frequently. Today, we will explore the interpretations of the requirements and our recommended approach.

What is SOC 2?

Developed by the American Institute of CPAs, SOC 2 defines criteria for managing customer data based on five “trust service principles”—security, availability, processing integrity, confidentiality and privacy. It is important to note that SOC 2 is not a certification but rather an auditor’s opinion. This is where the confusion and ambiguity stems from as there is no defined list of boxes to check to become SOC 2 compliant. Instead of using a defined control set (e.g. ISO 27001 Annex A Controls), SOC 2 specifies criteria for which adequate controls must be designed. Below are how the AICPA defines the 5 trust service principles:

  1. Security – Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to meet its objectives.
  2. Availability – Information and systems are available for operation and use to meet the entity’s objectives.
  3. Processing Integrity – System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.
  4. Confidentiality – Information designated as confidential is protected to meet the entity’s objectives.
  5. Privacy – Personal information is collected, used, retained, disclosed, and disposed to meet the entity’s objectives.

Is Penetration Testing or Vulnerability Scanning Required?

Technically, no, but it truly depends on what your auditor deems as adequate for certain requirements. According to CC4.1:

COSO Principle 16: The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.

Further, the Criteria goes on to state in its “Points to Focus on”: Management uses a variety of different types of ongoing and separate evaluations, including penetration testing, independent certification made against established specifications (for example, ISO certifications), and internal audit assessments.

Although this may seem explicit, what they are stating is that one of multiple types of evaluations that could be used to satisfy this criteria is penetration testing. Your auditor may say that the ISO certification satisfies this requirement and, therefore, no penetration testing is required. As a security firm, we are always going to advocate for regular penetration testing to be a part of your overall risk management process, as this is a realistic and hands-on assessment of your risk.

With regards to vulnerability scanning, according to CC7.1:

To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities.

Further, the criteria goes on to state in their points of focus that the entity should:

Conducts Vulnerability Scans—The entity conducts vulnerability scans designed to identify potential vulnerabilities or misconfigurations on a periodic basis and after any significant change in the environment and takes action to remediate identified deficiencies on a timely basis.

Based on this criteria, we highly recommend that quarterly vulnerability scanning be a part of your security program in order to ensure this criteria is being met. However, it does not state that a formal penetration test has to be completed. As your organization matures, quarterly vulnerability scanning and annual penetration testing should be one of the core foundations to test the soundness of your security program and the realistic effectiveness of your security controls. Reach out to us today to learn how we can help!