18.1
IG2 IG3

Establish and Maintain a Penetration Testing Program

Control Group: 18. Penetration Testing
Asset Type: N/A
Security Function: Identify

Description

Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements.

Implementation Checklist

1
Document current state and create baseline inventory
2
Define data fields and attributes to track
3
Assign ownership and responsibilities
4
Establish review cadence and update procedures
5
Define penetration testing scope and rules of engagement
6
Engage qualified penetration testing team
7
Review findings and prioritize remediation
8
Validate remediation through retesting

Tool Recommendations

HackerOne Forrester Wave Leader, Bug Bounty Platforms 2024

Continuous security testing platform with bug bounty programs, managed pentesting, and vulnerability disclosure

HackerOne · Program-based subscription
Synack Forrester Wave Leader, Penetration Testing Services 2024

Crowdsourced security testing platform with vetted researchers, AI-enhanced pentesting, and continuous assessment

Synack · Asset-based subscription
Cobalt Forrester Wave Strong Performer, Penetration Testing 2024

Pentest as a Service platform with vetted pentesters, programmatic testing, and findings management

Cobalt · Credit-based subscription
Bishop Fox Cosmos Forrester Wave Leader, Penetration Testing Services 2024

Continuous attack surface management and offensive security platform combining automated scanning with expert-led pentesting

Bishop Fox · Enterprise subscription

Threats & Vulnerabilities (CIS RAM)

Threat Scenarios

Unknown Vulnerabilities Persist Due to No Penetration Testing

Confidentiality

Critical exploitable vulnerabilities in the enterprise's network, applications, and services remain undiscovered because no penetration testing program exists to proactively identify them before attackers do.

False Sense of Security from Automated Scanning Alone

Integrity

The organization relies solely on automated vulnerability scanning, which misses complex attack chains and configuration weaknesses that only a structured penetration testing program would uncover.

Compliance Gap from Absent Penetration Testing Capability

Integrity

The organization fails to meet regulatory or contractual requirements for penetration testing because no program with defined scope, frequency, and remediation processes has been established.

Vulnerabilities (When Safeguard Absent)

No Established Penetration Testing Program

Without a penetration testing program defining scope, frequency, methodology, and remediation processes, the organization has no proactive mechanism to discover exploitable vulnerabilities before attackers do.

No Defined Remediation Path for Penetration Test Findings

Absence of a program means that even ad hoc penetration tests produce findings with no defined process for routing, prioritizing, and tracking remediation of discovered vulnerabilities.

Evidence Requirements

Type Evidence Item Collection Frequency
Document Current inventory or catalog documentation Maintained continuously, reviewed quarterly
Document Process/procedure documentation for identification activities Reviewed annually
Record Penetration test report and executive summary Per engagement
Record Remediation tracking and retest validation results Post-engagement
Document Governing policy document (current, approved, communicated) Reviewed annually

Related Policy Templates

Penetration Testing Policy
Control 18

Related Safeguards in Control 18

18.2 Perform Periodic External Penetration Tests
18.3 Remediate Penetration Test Findings
18.4 Validate Security Measures
18.5 Perform Periodic Internal Penetration Tests
18.2