You’d never buy a home without a home inspection.
But there’s a difference between a passable inspection to enable your sale and a more thorough, high-quality one. After all, the point is to discover potential risks in your prospective new home so you can address these issues ahead of time… rather than just “pass” an inspection.
Miss out on risks due to a poor inspection and you’ll be liable for costly repairs. Worse, you might put yourself (and your family) in physical danger or risk losing the house entirely.
It’s worth making a small investment to ensure you get a proper, thorough home inspection.
Likewise, penetration testing is a relatively small investment that can make a world of difference, but it has to be done right. The goal, just like for good home inspections, is to uncover and address real risks, not just be “passable,” leaving you exposed to hidden threats.
Let’s talk about why you should invest in pen testing for SOC 2, the difference between high- and low-quality testing, why vulnerability scans are insufficient, and the cost of penetration testing.
What is Penetration Testing (or Pen Testing)?
Penetration testing is a simulated cyberattack on an organization’s systems performed by security professionals to assess its cybersecurity defenses. This exercise aims to find potential issues and address them proactively. Pen testing may also be implemented as a regular practice to ensure the ongoing effectiveness of compliance controls.
Think of it as a home inspector finding a catastrophic issue with the roof. Thanks to his diligence and process, you now know of a major potential issue that you can address accordingly. Likewise, pen testing can help you uncover security threats and vulnerabilities so you can correct them to create a stronger (and more compliant) security program.
Download a Free Cybersecurity Checklist
Does SOC 2 Require Penetration Testing?
No, SOC 2 does not require penetration testing, but most organizations will get one as part of their compliance with the standard. Penetration testing typically falls under “Monitoring Activities” in the Trust Services Criteria, as it allows the company to test the effectiveness of its controls.
In our experience, organizations should run a penetration test at least annually but may decide more regular testing is necessary based on their security objectives.
The Trust Services Criteria outlines “Monitoring Activities” as:
“CC4.1 COSO Principle 16: The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.”
A little further down in this section, under additional points of focus, it specifically mentions penetration testing (emphasis ours):
“Considers Different Types of Ongoing and Separate Evaluations — Management uses a variety of ongoing and separate risk and control evaluations to determine whether internal controls are present and functioning. Depending on the entity’s objectives, such risk and control evaluations may include first- and second-line monitoring and control testing, internal audit assessments, compliance assessments, resilience assessments, vulnerability scans, security assessment, penetration testing , and third-party assessments.”
In other words, risk and control evaluations will differ from company to company based on objectives. Through and through, SOC 2 is a framework designed to align risks and controls with security objectives.
So, depending on the organization’s goals, their evaluations “may include” a mix of several of these controls, so long as they’re justified. The list in the standard provides a few of those options, but in our experience, the best security programs implement all of them!
If you choose not to do any penetration testing, you may have your more security-conscious customers ask why you made that decision. Be prepared with a good answer and other evidence of your monitoring security controls!
What Makes a Good SOC 2 Penetration Test?
Since penetration testing is not required for SOC 2, there is no specific standard type of pen test. If it aligns with your objectives, seek only high-quality penetration testing that pursues a specific goal, matches your audit scope, and uncovers actionable results.
A Good SOC 2 Penetration Test Pursues a Specific Goal
By pursuing one specific goal, penetration testing gives us a lot of valuable information. That goal might be to break into your building or find a backdoor into your systems. This focus allows security professionals to determine specific areas of weakness that your organization can then remedy.
SOC 2 places a large emphasis on controls protecting customer data. So, one example might be to try and breach the system where customer data is stored. The pen testers might uncover vulnerabilities such as insecure passwords or unpatched software. They will then provide actionable insights on addressing and correcting these issues. So if you are wondering, “Do I need a pen test? ” it is certainly beneficial for identifying and securing potential vulnerabilities.
A Good SOC 2 Penetration Test Matches Your SOC 2 Audit’s Scope
Your SOC 2 audit covers a particular scope, such as business units, systems, and processes. So, it makes sense to run penetration testing that matches the scope of your SOC 2 audit . If the scope of the pen test is too small, you might miss vulnerabilities in key areas.
Let’s say your SOC 2 audit focuses on your cloud infrastructure and customer-facing applications. In this case, your pen testing should align with those specific areas.
A Good SOC 2 Penetration Test Uncovers Actionable Results
Penetration testing is only valuable if you take action on the vulnerabilities you uncover. So, a good penetration test will offer actionable results that you can use to improve your overall security. It’s not enough to reach a passable state. After all, the whole purpose of a SOC 2 audit isn’t just to get a report. It’s to create a stronger, better overall security program.
Penetration Tests vs. Vulnerability Scans for SOC 2
Penetration tests and vulnerability scans are often confused but have significant differences. A vulnerability scan is an automated process designed to identify vulnerabilities in your systems, like outdated software.
Vulnerability scans lack the depth of pen tests. Imagine a home inspection that was only conducted from the outside!
A penetration test is an active, simulated real-world attack that uncovers vulnerabilities that a simpler, external scan will likely miss.
It’s not that vulnerability scans aren’t useful – they have their place and may well be included as part of the SOC 2 compliance program. However, they do not substitute comprehensive penetration testing in a strong cybersecurity program.
Vulnerability Scans in the Trust Services Criteria
Vulnerability scans are mentioned in the Trust Services Criteria within CC7.1:
“To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities …
Conducts Vulnerability Scans — The entity conducts infrastructure and software vulnerability scans designed to identify potential vulnerabilities or misconfigurations on a periodic basis and after significant changes are made to the environment. Action is taken to remediate identified deficiencies in a timely manner to support the achievement of the entity’s objectives.”
As their name might imply, vulnerability scans are particularly useful for finding vulnerabilities in system configurations, especially if system changes might introduce new threats. While they don’t offer the same level of insight or value, they are often used as part of a continuous monitoring program.
The differences in depth between the two become clearer when discussing pricing.
How Much Does a SOC 2 Penetration Test Cost?
A SOC 2 penetration test is usually done on a project rate and can vary based on the test’s quality. Pen tests that get organizations “compliant” can be done for around $5,000. Quality penetration testing (with actionable results) often costs $15,000-$30,000, though it may be more expensive for larger companies with a greater scope.
Again, we want to be very clear that a “compliant” pen test and a high-quality one are two very different things. We do not recommend seeking a pen test to simply reach compliance but to build a stronger, more compliant security program.
How Much Does Vulnerability Scanning Cost?
Vulnerability scanning is less comprehensive than pen testing and might cost a few thousand dollars when done individually. These scans may pick up on system configuration issues or outdated software but don’t offer the actionable insights of pen testing. Vulnerability scans can be valuable alongside pen testing, especially for continuous monitoring.
Conclusion: Shortcuts Create – or Fail to Reveal – Risks!
Don’t buy a home without a quality home inspection. And don’t cut corners on your SOC 2 preparation with low-quality pen testing that might miss catastrophic threats to your business!
Penetration testing is done to actively and aggressively find hidden vulnerabilities, so don’t settle for just getting “compliant.” Pen testing is truly only valuable when you act to remediate the uncovered issues to prevent future security incidents or compliance failures.
While a low-quality pen test might be “fine” for getting compliant, it does not help you become a more secure organization. Given that you’re already spending thousands to build out your SOC 2 program, it’s not worth taking shortcuts.
Then, instead of SOC 2 compliance becoming a sales enablement tool, your qualified report has now become an area of concern for prospects. This, in turn, makes it more difficult to enable sales, as you have become the risky party.
If your organization is pursuing SOC 2 compliance, Fractional CISO can help.
As part of our SOC 2 preparation services, we will help you pick the right pen tester for your needs. It’s just part of the strong cybersecurity foundation we build for your company so you can confidently pass your SOC 2 audit and position your organization for long-term success.