Are penetration testing required for the SOC 2?

Short answer: No, penetration tests are not required for the SOC 2.

But, if you want to know why and what this means for your business, keep reading.

In order to answer this question, we have to do a quick recap on what is really meant by ‘required’ when it comes to SOC 2.

Where do the requirements for the SOC 2 come from?

Purpose of the SOC 2 Report: “evaluate whether controls were suitably designed and operated effectively to achieve the entity’s objectives based on the trust services criteria.”

So, in a nutshell, the only real requirements of the SOC 2 are the Trust Services Criteria.

However, the American Institute of Certified Public Accountants (AICPA) introduced the Points of Focus to help evaluate which specific controls should be required or not.

What are the Points of Focus?

source AICPA

So let’s remember, they are not Requirements, but they are authoritative guidance on assessing required controls.

What did the Previous Version of Points of Focus say about Pen Tests?

“Considers Different Types of Ongoing and Separate Evaluations—Management uses a variety of different types of ongoing and separate evaluations, including penetration testing, independent certification made against established specifications (for example, ISO certifications), and internal audit assessments.”

What does the Current Version of Points of Focus say about Pen Tests?


So the Points of Focus language moved from the previous version language indicating it should be required to the new version’s language allowing management to decide which ongoing evaluations were appropriate to meet the entity’s objectives.

Finally, so, what the heck, should everyone be getting a pen test regardless?

Yes. According to the Verizon 2017 Data Breach Investigation Report, 61% of all data breaches were in smaller companies. If your company stores or processes sensitive electronic data, odds are you’ve exposed vulnerabilities. These could allow attackers easy access. You need someone to think like an attacker to identify it.

So to sum it all up, is it required? No. Is it a good idea? Yes. Will a reasonable SOC 2 auditor regard it as a control design gap if you don’t regularly complete a pen test and remediate high risk gaps? Most likely.


Do you want to learn more about Point of Focus and creating SOC 2 controls? Visit out YouTube Channel-  Click


Looking for an auditor who can help guide you through the SOC 2 process? –  Contact Render

Share this post


Keep reading...

What is a SOC 2 Gap Assessment?

A SOC 2 Gap Assessment is a high-level review of a firm’s control’s environment against SOC 2 criteria to identify existing gaps.

Let's Work Together