Penetration Testing for SOC 2 and ISO 27001: What You Actually Need

TL;DR

• SOC 2 doesn't explicitly require pen testing, but auditors expect it as evidence for CC4.1 and CC7.1. ISO 27001 A.8.8 effectively requires it.
• Annual testing at minimum. Retest after major infrastructure or code changes.
• Typical SaaS pen test cost: $8,000–$25,000 external, $5,000–$15,000 web app. Choose firms with CREST/OSCP and industry-specific experience.

Penetration testing sits at the intersection of security and compliance. You need it for both, but the requirements are different and the market is full of overpriced engagements that deliver 100-page reports nobody reads. This guide covers what SOC 2 and ISO 27001 actually require, how to scope effectively, and how to use results as audit evidence.

What the Frameworks Require

SOC 2 does not have a line item that says "penetration test required." However, CC4.1 (monitoring activities) and CC7.1 (system operations) require organizations to detect vulnerabilities and assess the effectiveness of security controls. Penetration testing is the standard evidence for these controls. Every SOC 2 auditor we have worked with asks for a pen test report.

ISO 27001 Annex A control A.8.8 (management of technical vulnerabilities) requires organizations to identify, evaluate, and address technical vulnerabilities in a timely manner. A.8.8 supplementary guidance references security testing as a verification method. Certification auditors treat pen test reports as expected evidence.

Bottom line: neither framework says "you must do a pen test" in those exact words, but both effectively require it through their control requirements.

Scoping Your Pen Test

Do not pay for testing you do not need. Scope to what matters for compliance:

External network test — Tests your internet-facing infrastructure for vulnerabilities. This is the minimum for SOC 2 and ISO 27001.

Web application test — Tests your SaaS application for OWASP Top 10 vulnerabilities, authentication flaws, authorization bypass, and injection attacks. Essential for any SaaS company.

API test — Tests your API endpoints for authentication, authorization, rate limiting, input validation, and data exposure. Critical if your product has a public or partner API.

Internal network test — Tests your corporate network. Less critical for cloud-native SaaS companies but relevant if you have an office network.

For most SaaS companies, start with external network + web application + API testing.

Choosing a Firm

Look for:

• CREST or OSCP certified testers
• Experience with SaaS and cloud environments
• Clear methodology (OWASP, PTES, NIST SP 800-115)
• Reports that include remediation guidance, not just findings
• Willingness to retest critical findings after remediation
• Reasonable pricing (avoid both the cheapest and most expensive options)

Using Results for Audit Evidence

Your pen test report serves multiple compliance purposes:

SOC 2 evidence: Executive summary and finding details satisfy CC4.1 and CC7.1. Remediation records for critical findings demonstrate control effectiveness. Share with auditors during the examination.

ISO 27001 evidence: The report satisfies A.8.8 technical vulnerability management. Your remediation timeline and retest results satisfy the "timely manner" requirement. Include in your evidence collection for surveillance audits.

Procurement packages: The executive summary (without detailed findings) is a standard component of your trust center and security review package.

After the Test

Fix critical and high findings before your audit observation period or certification audit. Document remediation in your ticketing system. Request retesting for critical findings — auditors want to see that critical vulnerabilities were confirmed fixed.

Medium and low findings should be tracked in your risk register and addressed according to your risk treatment plan. Not everything needs to be fixed immediately.

For the broader audit preparation context, see our SOC 2 readiness guide and audit readiness checklist. For help building your compliance program, explore our services or schedule a call.