Are penetration testing required for the SOC 2?

January 7, 2024

Short answer: No, penetration tests are not required for the SOC 2.

But, if you want to know why and what this means for your business, keep reading.

In order to answer this question, we have to do a quick recap on what is really meant by ‘required’ when it comes to SOC 2.

Where do the requirements for the SOC 2 come from?

Purpose of the SOC 2 Report: “evaluate whether controls were suitably designed and operated effectively to achieve the entity’s objectives based on the trust services criteria.”

So, in a nutshell, the only real requirements of the SOC 2 are the Trust Services Criteria.

However, the American Institute of Certified Public Accountants (AICPA) introduced the Points of Focus to help evaluate which specific controls should be required or not.

What are the Points of Focus?

source AICPA

So let’s remember, they are not Requirements, but they are authoritative guidance on assessing required controls.

What did the Previous Version of Points of Focus say about Pen Tests?

“Considers Different Types of Ongoing and Separate Evaluations—Management uses a variety of different types of ongoing and separate evaluations, including penetration testing, independent certification made against established specifications (for example, ISO certifications), and internal audit assessments.”

What does the Current Version of Points of Focus say about Pen Tests?

So the Points of Focus language moved from the previous version language indicating it should be required to the new version’s language allowing management to decide which ongoing evaluations were appropriate to meet the entity’s objectives.

Finally, so, what the heck, should everyone be getting a pen test regardless?

Yes. According to the Verizon 2017 Data Breach Investigation Report, 61% of all data breaches were in smaller companies. If your company stores or processes sensitive electronic data, odds are you’ve exposed vulnerabilities. These could allow attackers easy access. You need someone to think like an attacker to identify it.

So to sum it all up, is it required? No. Is it a good idea? Yes. Will a reasonable SOC 2 auditor regard it as a control design gap if you don’t regularly complete a pen test and remediate high risk gaps? Most likely.

Do you want to learn more about Point of Focus and creating SOC 2 controls? Visit out YouTube Channel- Click

Looking for an auditor who can help guide you through the SOC 2 process? – Contact Render

Share this post

Keep reading...

policy SOC report

Building Effective Security Policies: FOMO vs. Build-as-you-Go

04/22/2024

Ever gone to check the company policy for something and found yourself lost and hopeless in a thousand page policy jungle?

Beyond Fast Audits – Prioritizing Quality in Compliance Automation

03/26/2024

In the fast-paced world of compliance automation, where promises of rapid audits abound, it’s time to pause and reconsider our priorities.

SOC 2 timeline

How long does my first SOC 2 Exam take?

03/19/2024

Determining the timeline for achieving SOC 2 compliance is a bit like asking “how long does it take to build a car?”

Security Questionnaire

SOC 2 vs. Security Questionnaire?

03/06/2024

What’s the difference and how do they match up?

Navigating Compliance in a Serverless World

02/12/2024

It may be obvious that running a ‘serverless’ environment reduces your operational responsibilities.

What is a SOC 2 Gap Assessment?

01/28/2024

A SOC 2 Gap Assessment is a high-level review of a firm’s control’s environment against SOC 2 criteria to identify existing gaps.