Penetration Testing and Compliance

COVID-19: remote delivery options

We would like to reassure our clients that all training and consultancy services will go ahead as scheduled during the COVID-19 situation. As a company that fully embraces flexible and remote working, we have adjusted our delivery methods to allow us to provide consultancy services, vulnerability scans and penetration tests, and training remotely where necessary. Please also refer to our COVID-19 policy.

Connecting compliance with penetration testing

Compliance requirements aside, penetration testing is a critical aspect of any security programme. The continually evolving threat landscape brought about by the ever-increasing complexity of attack techniques underscores the need for organisations to continually monitor and manage vulnerabilities.

In today’s regulated environment, many organisations are looking for better ways to continually assess their compliance posture. Various regulations and standards have multiple components specifically related to system auditing and security, and either indicate or specify that penetration testing is necessary to determine whether identified vulnerabilities pose a genuine risk to an organisation.


What is it?

The PCI DSS (Payment Card Industry Data Security Standard) was set up to help businesses process card payments securely and reduce card fraud. It achieves this through enforcing tight controls surrounding the storage, transmission and processing of cardholder data that businesses handle. The PCI DSS is intended to protect sensitive cardholder data.


Requirement 11.3 of the PCI DSS describes the need to regularly carry out penetration testing to identify unaddressed security issues and scan for rogue wireless networks.

Find out more about PCI DSS compliance

ISO 27001

What is it?

An essential component of ISO 27001 compliance (and potentially for achieving certification) is performing a penetration test. With penetration testing, organisations can effectively identify where to make improvements to the information security management system (ISMS). Penetration testing also forms part of an effective continual improvement regime.


ISO 27001 control objective A12.6 (Technical Vulnerability Management) says that “Information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, the organisation's exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk.”

Find out more about ISO 27001 compliance


What is it?

The GDPR is the General Data Protection Regulation: a pan-European data protection law. It gives EU data subjects more control over how their personal data is processed and places a range of new obligations on organisations that process and control the processing of personal data.


Article 32 of the Regulation requires organisations to implement technical measures to ensure data security. It outlines specific measures and highlights the need for “[A] process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing”.

Find out more about GDPR compliance