AL Refs: EXT02
Penetration testing is a ubiquitous industry practice to engage an independent security consultancy to test the technical security of your critical systems. Penetration tests, as compared to automated vulnerability scanning, include human attempts to breach the security of your network and software that can identify additional vulnerabilities that automated software does not.
The industry expectation is that penetration tests are conducted independently. You might have specific enterprise customers that want to conduct their own penetration tests. You might also have your own internal security team that conducts penetration tests. Each of these practices is helpful, but generally falls short of the broader industry expectation that a for-purpose independent penetration test is conducted at least annually. Penetration tests conducted by a specific customer may be narrowly focused or bias towards their own specific interests. Internal penetration tests lacks the complete independence, and often the same level of expertise, as third-party specialists.
Penetration testing is not prescribed as a requirement for ISO 27001, SOC 2, HIPAA, and other standards, but generally imposed like a prescribed requirement by audit firms based on the broad industry expectation. The Consumer Data Right does specify penetration testing in the Schedule 2 requirements, but can have flexibility in the timing based on the circumstances that apply.
The type of penetration test done may depend on what's recommended by your penetration test provider, what your customers require or what you would find most beneficial at the current stage of your growth and maturity or the potential threats you'd like additional insight into. From an audit perspective, we typically don't at the type of test being conducted (black box, grey box, or white box) but that a test has been done, depending on the type of audit you're undergoing as mentioned above. As your auditors, we have to maintain a level of independence, so we are unable to suggest a service provider. Feel free to check out our Partners page for different service providers in our network or reach out to your compliance platform contacts (if you use a platform) for suggestions on what other customers have found helpful.
See also the Vulnerability Scanning page that works in combination with penetration testing to identify and resolve technical vulnerabilities.