Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 2-11-1 – Cybersecurity requirements for penetration testing exercises must be defined, documented and approved.
Reference: Essential Cybersecurity Controls (ECC – 2 : 2024).
Understanding the Requirement
This control requires organizations to create a formal, approved policy that governs penetration testing activities. At a minimum the policy should define what assets and systems are in scope, how often testing occurs, acceptable tools and methods, and the qualifications and responsibilities of the teams or vendors performing tests. Executive approval and documented sign-off are required so tests are coordinated, legally compliant, and aligned with business risk tolerance.
Technical Implementation
-
Create a penetration testing policy document.
Draft a concise policy that states objectives, scope definitions (external, internal, web apps, cloud, mobile), rules of engagement, allowable tools (e.g., vulnerability scanners, authenticated tests, manual exploit attempts), and constraints (time windows, blackout periods, protected systems).
-
Define frequency and triggers for testing.
Specify periodic schedules (e.g., annual full tests, quarterly targeted tests) and event-driven triggers (major releases, significant infrastructure changes, after incidents). Map each trigger to a minimum test depth (light scan, authenticated assessment, full red-team exercise).
-
Specify tester qualifications and selection criteria.
Require background checks, proof of certifications or proven experience for vendors, and written NDAs. For internal teams, define required skills, separation of duties, and escalation paths for discovered high-risk issues.
-
Implement an approval and change-control workflow.
Require signed pre-engagement approval by a designated executive (CEO/CTO/CISO or deputy) and use your change management process to schedule tests. Include a checklist for pre-test notifications to IT, Legal, and business owners, and capture approval artifacts in a central repository.
-
Define reporting, remediation, and retest requirements.
Mandate a standard report format (executive summary, technical findings, risk ratings, remediation recommendations), timelines for remediation, and requirement for verification retests for critical fixes. Integrate findings into your ticketing/issue-tracking system with SLAs.
-
Protect production availability and data.
Include rules to prevent destructive testing on production data (use of test accounts/environment), require data handling controls, and define escalation procedures for detection of active compromise or accidental outages during testing.
Example in a Small or Medium Business
A 60-person SaaS company implements this control by drafting a short penetration testing policy that the CTO authors and the CEO approves. The policy states that externally facing web applications and APIs are in scope for a full penetration test annually, while internal network scans run quarterly. The company defines acceptable tools (automated scanners plus manual validation) and requires external vendors to sign an NDA, provide references, and demonstrate relevant experience. Before each test the vendor completes a pre-engagement questionnaire and the CTO schedules the test through the change management process, notifying support, legal, and customer-facing teams. The engagement requires executive sign-off and a designated point of contact from operations to avoid unintended outages. After the test the vendor delivers a prioritized report and the CTO creates remediation tickets with deadlines; critical issues receive immediate patches and a retest is scheduled within 30 days. All approvals, reports, and retest results are stored in the company’s compliance folder so audits and future planning can reference them.
Summary
Defining, documenting, and approving penetration testing requirements ensures tests are effective, safe, and aligned with business priorities. A clear policy that covers scope, frequency, tools, tester qualifications, approvals, and remediation workflows reduces operational risk and legal exposure. For SMBs this means creating concise, actionable rules, requiring executive sign-off, coordinating tests through change control, and tracking remediation to closure — a practical approach that satisfies the control and improves security posture.
