If a customer or auditor has recently asked whether you’ve had a penetration test, you’re not alone — it’s one of the most common reasons companies first reach out to us.
Here’s the honest, plain-English version of where pen testing fits into compliance.
SOC 2 doesn’t technically mandate a penetration test — but in practice, most organisations pursuing SOC 2 get one anyway. Auditors expect evidence that you actively look for vulnerabilities, and a pen test is the clearest, most widely accepted way to show it. Increasingly, your customers demand one as a condition of doing business, regardless of what the framework says.
ISO 27001 similarly expects you to assess technical vulnerabilities; a pen test is the standard way to satisfy that expectation.
Cyber insurance providers increasingly ask whether you test, and may price your premium — or your eligibility — accordingly.
So the practical answer is usually yes: if you’re going through SOC 2, ISO 27001, or selling to enterprise customers, you’ll need a credible penetration test, even where the letter of the framework doesn’t spell it out.
The thing to avoid is treating it as a box to tick. A scan that produces a glossy PDF satisfies nobody who reads it carefully — and increasingly, customers’ security teams do read it carefully. A real test, run by people who manually probe your systems the way an attacker would, gives you something that holds up to scrutiny and actually tells you where you stand.
If you’re not sure what your customer or auditor is really asking for, that’s a conversation worth having before you commit to anything. We’re happy to talk it through.
