Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 2-11-2 – The cybersecurity requirements for penetration testing processes must be implemented.
Understanding the Requirement
This control requires organizations to implement the defined cybersecurity requirements for penetration testing processes so that testing is repeatable, safe, and effective. In practice that means establishing a documented program that schedules periodic testing, defines scope and rules of engagement, and ensures tests are authorized and remediated. As part of the Essential Cybersecurity Controls (ECC – 2 : 2024), SMBs should prioritize clear scope definitions and regular cadence so testing focuses on the most critical assets while minimizing operational risk.
Technical Implementation
- Create and approve a Penetration Testing Policy: Document who can authorize tests, acceptable test types (external network, internal, web apps, API, social engineering), required notifications, and escalation paths. Make the policy part of change-control so tests are scheduled and authorized before execution.
- Define scope and rules of engagement for each test: Maintain an asset inventory and categorize assets by criticality. For each engagement, produce a scoping statement that lists targets, excluded systems (e.g., medical devices, critical manufacturing control systems), testing windows, acceptable tools, and backout procedures to reduce risk of disruption.
- Establish a testing cadence and risk-based prioritization: Require at minimum annual external and web-application tests for internet-facing assets and more frequent tests (quarterly or after major changes) for high-risk systems. Use vulnerability scan results, incident history, and business-criticality to prioritize what gets penetration tested.
- Engage qualified testers and use controlled environments: Require proof of tester qualifications and liability coverage for third-party vendors. For internal test work, segregate test accounts and ensure tests run from isolated jump hosts or controlled VLANs to avoid collateral damage. Maintain signed Rules of Engagement and non-disclosure agreements before work begins.
- Integrate remediation and retest into the workflow: Create ticketing workflows that convert penetration test findings into prioritized remediation tasks with owners and SLAs. After fixes, require verification testing—either targeted re-tests from the original tester or a follow-up scan—to confirm vulnerabilities are closed.
- Maintain records, lessons learned, and continuous improvement: Keep test plans, reports, and remediation evidence for compliance and audit. Run a post-test review to update inventory, change the scope if new assets are discovered, tune detection rules in security monitoring, and incorporate findings into secure development and patching practices.
Example in a Small or Medium Business
Acme Retail, a 60-person e-commerce SMB, formalized penetration testing after a quarterly vulnerability scan revealed exploitable web app issues. The IT manager created a one-page Penetration Testing Policy that required annual external and application tests and immediate testing after major deployments. Using the asset inventory, they scoped tests to the public web portal, payment integration endpoints, and a staging site; order processing databases and point-of-sale terminals were explicitly excluded. They hired a vetted third-party tester for a weekend window, signed a Rules of Engagement, and notified the hosting provider and C-suite before testing. Test findings were logged directly into the existing ticketing system and assigned remediation SLAs based on severity; developers fixed critical flaws within two weeks. After fixes, Acme scheduled a targeted re-test with the same provider to validate remediation, then updated their secure development checklist to prevent recurrence. The company maintained the test reports and evidence for 12 months and used lessons learned to improve patching cadence and monitoring rules.
Summary
Implementing this control combines clear policy, scoped and authorized testing, qualified testers, and a remediation-first workflow. For SMBs, practical steps—documenting rules, prioritizing assets, scheduling periodic tests, and requiring re-testing after fixes—keep testing effective while limiting operational risk. Together these policy and technical measures ensure penetration testing processes are repeatable, accountable, and aligned to business risk, meeting the requirement to implement the cybersecurity requirements for penetration testing processes.
