Penetration Testing for Compliance

Which frameworks require pentesting, what scope and frequency they demand, and what it will cost you. PCI DSS, SOC 2, ISO 27001, and HIPAA explained.

FrameworkPentest Required?FrequencyEst. Annual Cost
PCI DSSYes — mandatoryAnnual + after changes£8k–£25k
SOC 2Strongly expectedAnnual£7k–£20k
ISO 27001Best practiceAnnual£5k–£40k
HIPAADue diligencePeriodic£8k–£18k

PCI DSS

Explicitly Required

v4.0Requirement 11.3

Frequency

Annual minimum + after significant changes

Scope

Cardholder data environment (CDE) — all systems that store, process, or transmit cardholder data, plus connected systems

Tester Requirements

Qualified internal resource or qualified external tester. QSA may require CREST or equivalent certification.

Key Points

  • External pentest required annually at minimum
  • Internal pentest required annually at minimum
  • Retest required after significant changes to CDE
  • Segmentation controls must be tested separately (pen test of segmentation if CDE is isolated)
  • Written report with pass/fail status required
  • Evidence of remediation of exploitable vulnerabilities required

Cost Implication

For PCI DSS, budget for at least an annual external + internal network test. If you have a web application in scope, a web app pentest is also expected. Combined PCI pentest programmes typically cost £8,000–£25,000 per cycle.

SOC 2

Strongly Expected

AICPA Trust Services CriteriaCC6.1 — Logical & Physical Access

Frequency

Annual (aligned with audit cycle)

Scope

Systems in scope for the SOC 2 audit — typically production infrastructure, key SaaS applications, and access management systems

Tester Requirements

Independent third party strongly preferred. CREST-certified or equivalent.

Key Points

  • Not formally required by AICPA but expected by most auditors
  • Absence of pentest often leads to compensating control requirements
  • Report must cover the audit period (Type II) or point in time (Type I)
  • Auditors want to see remediation evidence, not just the pentest report
  • Scope should align with system description boundaries

Cost Implication

SOC 2 pentest programmes typically cost £7,000–£20,000 per cycle depending on system complexity. Factor in re-test for clean evidence.

ISO 27001

Best Practice / Expected

ISO/IEC 27001:2022Annex A 8.8 (Vulnerability Management)

Frequency

Annual minimum; more frequent for high-change environments

Scope

ISMS scope — typically all information assets, systems, and processes included in certification scope

Tester Requirements

Qualified internal or external tester. Certification body may review test methodology.

Key Points

  • Annex A 8.8 requires regular vulnerability assessments
  • Penetration testing is expected evidence for technical security controls
  • Auditors increasingly require annual pentest evidence for surveillance audits
  • Findings must feed into the risk register and risk treatment plan
  • Remediation evidence expected within defined SLAs

Cost Implication

ISO 27001 pentest programmes vary by organisation size. SMB programmes: £5,000–£12,000/year. Enterprise scope: £15,000–£40,000/year.

HIPAA

Due Diligence Expected

Security Rule (45 CFR 164)§164.308(a)(8) — Evaluation

Frequency

Periodic — no fixed frequency mandated

Scope

Electronic Protected Health Information (ePHI) systems — EHR platforms, patient portals, imaging systems, connected infrastructure

Tester Requirements

No specific certification required, but independent qualified tester is prudent for breach defence.

Key Points

  • HIPAA does not explicitly mandate penetration testing
  • OCR breach settlement agreements repeatedly cite lack of penetration testing
  • Technical safeguard evaluations (§164.308(a)(8)) expected periodically
  • Business Associate Agreements (BAAs) increasingly require pentesting evidence
  • Post-breach, absence of pentesting is an aggravating factor in OCR investigations

Cost Implication

HIPAA-driven pentest programmes typically focus on ePHI systems. Annual web app + network test: £8,000–£18,000 per cycle.

Running Multiple Frameworks Simultaneously

Many organisations must satisfy multiple frameworks (e.g. PCI DSS + SOC 2 + ISO 27001). The good news is that a well-scoped penetration test can satisfy evidence requirements across all three simultaneously if the scope, methodology, and report format are aligned. Work with your auditors and pentest provider to agree a single evidence package that covers all frameworks — this typically saves 30–40% versus running separate tests per framework.

The key is ensuring your pentest report explicitly maps findings to each framework's control requirements. Most boutique security firms can produce framework-mapped reports on request.

Need to scope a compliance-driven pentest?

Use our calculator to model the cost based on your framework requirements, or get expert guidance.

Open the Cost Calculator →Get a Free Exposure Teardown →