Skip to main content

Does SOC2 require Pen-testing or vulnerability scans?

Penetration testing or pen-testing is focused on understanding which vulnerabilities a cybercriminal could exploit and how. Therefore, assessing and testing these vulnerabilities before any damage is incurred is best. Penetration testing is a process for identifying security vulnerabilities in systems or networks and trying to exploit these without damaging any systems or data. Penetration test results are vital in finding and patching security flaws. Penetration testing might be a challenging task that requires advanced skills and knowledge. Pen-testing can also help ensure all regulatory requirements are in place. Requirements in ISO 27001 and SOC2 might be satisfied by pen-testing. The two most common required standards in a business outsourcing context.

SOC2 and penetration testing

The American Institute of Certified Public Accountants (AICPA) developed the Service and Organization Controls (SOC) based on the Trust Services Criteria (TSC). Penetration testing can facilitate compliance with SOC 2 and ISO 27001. SOC2, unlike other regulatory compliance frameworks, is not a set of controls to implement. Although SOC 2 compliance is relatively flexible concerning challenging requirements, the implications of being too lax can be significant for compliance. Pen testing provides independent analysis, testing, and validation of a company's cybersecurity, which is required in SOC2. But is pen-testing an explicit requirement? The short answer is 'no'; SOC2 doesn't require pen-testing explicitly; however, penetration testing can benefit compliance with SOC2, ISO 27001, and even PCI DSS.

Requirements SOC2

The requirements of SOC 2 (the common criteria or shorter CCs) recognize two specific rules for cybersecurity, pen testing, and vulnerability management; CC4.1 and CC7.1. Penetration testing is generally considered the most common, practical, and cost-effective way to address cyber threats and achieve compliance with SOC2. These are, however, always subject to the auditor's interpretation. A properly performed penetration test validates that implemented vulnerabilities are analyzed and recognized, and the related security controls are implemented; they exist and work as designed. More explicitly, in section 4.1 and section 7.1 of the common criteria these requirements are included;

CC4.1 – Management uses various types of ongoing and separate evaluations, including penetration testing, independent certifications made against established specifications (for example, ISO certifications), and internal audit assessments. Penetration testing is mentioned in CC4.1, but not explicitly required. If cyber security risks are otherwise addressed, this might also lead to compliance with SOC2.SOC2-pen-testing


CC7.1 – The entity uses detection and monitoring procedures to identify (1) changes to configurations that result in new vulnerabilities and (2) susceptibilities to newly discovered vulnerabilities. I emphasize that recognizing should always be combined with controlling the related risk in a control framework. Again, identifying vulnerabilities is mentioned, which doesn't require vulnerability scanning explicitly. However, vulnerability scans, combined with pen-testing, is the most common and most effective method for identifying vulnerabilities. Therefore, the SOC 2 penetration testing requirements are not explicit and subject to interpretation. Requirements for vulnerability scanning and pen-testing are not explicitly mentioned. Using vulnerability scanning, penetration testing, and/ or similar techniques to identify vulnerabilities is highly recommended and considered best practice by most professional audit firms. Therefore most professional auditors will require vulnerability scanning and penetration testing.

When could a pen-test be considered professional?

What level of penetration testing could be suitable for SOC2? In penetration testing, five phases can be recognized; reconnaissance, scanning, vulnerability assessment, exploitation, and reporting. These phases should be identified in a professional pentest report. Further, the pentester should apply specific methods and techniques for pen-testing.

Methods for pentesting

Penetration-testingDifferent penetration testing methods and tools are available, and each has strengths and weaknesses. The most common include; Nmap, a powerful network scanning tool that scans open ports and services. Nmap will also analyze and identify vulnerable applications. Metasploit is a vulnerability exploitation tool with a library of exploits for many applications and operating systems. Wireshark analyzes a network and can capture packet data from a network and decode it into readable form. Wireshark is useful for identifying malicious traffic or sensitive information transmitted over a network. Professional penetration testing done by ethical hackers, generally consists of a combination of the abovementioned methods and other methods.

Again, the usefulness of a pen-testing report for SOC2 will be dependent on the professional performing the pen-testing. Advanced skill and knowledge acquired in a in ethical hacking course are necessary to interpret the abovementioned tools' outcomes. Another method is Burp Suite. Burp Suite is a web application security testing tool that scans websites for vulnerabilities, manipulates requests and responses, and intercepts traffic between the client and server. Since many industries depend on web services, a Burp Suite should be part of any professional penetration test. And, the most significant security risk lies with the users of your IT environment. The only thing you can do as an IT manager to prevent hacking is to inform and develop a policy to ensure that employees are always and everywhere careful with data. 
This can be achieved, for example, with a security awareness course. Not just once but regularly, the attention must not wane, and new threats periodically appear.


To summarize, SOC2 does not know any explicit requirements for pen-testing; however, periodic pen-testing and vulnerability scanning are highly recommended for SOC2 compliance. Follow a SOC2 course to understand the ins and outs of the pen testing reuirements for SOC2. A professional pen-testing report will generally consist of a combination of methods aligned to the risks and systems of an organization to be tested. Nmap, Metasploit, Wireshark, and Burp Suite are good practice methods for pen testing. Any other technique could be applicable, too; however, the method should cover all risks in networks and systems.