Compliance Frameworks

Many industries are regulated by compliance frameworks that require regular security assessments and penetration testing.

PCI DSS

Payment Card Industry Data Security Standard

  • • Requirement 11.3: Penetration testing
  • • Annual external test by qualified assessor
  • • Internal testing after significant changes
  • • Network and application layer testing

HIPAA

Health Insurance Portability and Accountability Act

  • • Technical evaluation required
  • • Risk analysis mandate
  • • No specific pentest requirement
  • • Recommended as part of security program

SOC 2

Service Organization Control 2

  • • Trust Services Criteria
  • • Penetration testing often required
  • • Annual testing common
  • • Third-party assessment

ISO 27001

Information Security Management

  • • Annex A.12.6: Technical vulnerability management
  • • Annex A.18.2: Independent security review
  • • Regular technical compliance checks

FedRAMP

Federal Risk and Authorization Management

  • • Annual penetration testing
  • • Must use accredited 3PAO
  • • Web application and network testing

GDPR

General Data Protection Regulation

  • • Article 32: Security testing
  • • Regular testing and evaluation
  • • Data protection impact assessments

Australian Compliance Frameworks

ACSC Essential Eight

Australian Cyber Security Centre

  • • Application control testing
  • • Patch application verification
  • • Multi-factor authentication checks
  • • Admin privilege restriction review
  • • Maturity model assessment (0-3)

APRA CPS 234

Financial Sector Information Security

  • • Mandatory for APRA-regulated entities
  • • Information security capability testing
  • • Third-party risk assessments
  • • Annual control effectiveness testing
  • • Board notification requirements

ISM (ASD)

Information Security Manual

  • • Australian Government systems
  • • PROTECTED/SECRET/TOP SECRET
  • • Vulnerability assessments required
  • • Penetration testing guidelines
  • • IRAP assessment process

Privacy Act 1988

Australian Privacy Principles (APPs)

  • • APP 11: Security of personal information
  • • Notifiable Data Breaches (NDB) scheme
  • • OAIC oversight and enforcement
  • • Privacy Impact Assessments

SOCI Act 2018

Security of Critical Infrastructure

  • • Critical infrastructure sectors
  • • Risk management programs
  • • Cyber security incident reporting
  • • Government assistance measures

IRAP

Infosec Registered Assessors Program

  • • ASD-endorsed assessors
  • • Government cloud assessments
  • • ISM compliance verification
  • • PROTECTED certification path

Related Topics

Legal Considerations

Legal frameworks and laws

Pre-Engagement Checklist

Complete preparation checklist

Industry Standards

PTES, OWASP, and more