Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 2-11-3 – The cybersecurity requirements for penetration testing processes must include at least the following:
Understanding the Requirement
This control requires that your organization define and document the minimum components of any penetration testing process so tests are safe, authorized, repeatable and useful for improving security posture. From the Essential Cybersecurity Controls (ECC – 2 : 2024), the intent is to ensure testing has clearly defined objectives (2-11-3-1) and rules or boundaries for execution (2-11-3-2) — for example scope, acceptable techniques, approvals, data-handling, and reporting expectations. For SMBs this means formalizing how tests are requested, approved, run, and followed up so you can assess risk without disrupting operations or exposing sensitive data.
Technical Implementation
- Define scope and objectives in a written Test Plan. For each engagement record the systems/hosts, networks, applications, and data types in scope; list explicit out-of-scope items; and state testing objectives (e.g., external perimeter, web app auth bypass, internal lateral-movement). Make the plan the required intake artifact before any testing begins.
- Create a Rules of Engagement (RoE) template. The RoE must cover permitted techniques (blackbox/greybox/credentials provided), time windows, maximum test impact (no destructive testing without explicit sign-off), notification procedures, escalation contacts, and who has final authority to stop the test. Keep a signed RoE on file for audits.
- Obtain written authorization and designate emergency contacts. Require authorization from the system owner or designated approver and record the approval. Provide the testing team with on-call contacts, business-hours constraints, and a fail-safe contact who can pause/stop testing if production instability occurs.
- Protect sensitive data and environments. Require use of non-production or sanitized datasets when possible. If production testing is necessary, limit data access, mandate encryption of test evidence, and delete captured sensitive artifacts after validation. Document data-handling procedures in the plan.
- Use approved methodologies and toolsets. Specify accepted frameworks or methodologies (for example OWASP for web apps, or agreed internal checklists) and authorize only approved automated tools and manual techniques. Maintain an allowed-tools list and require tool and script review for safety (rate limits, payloads).
- Report, remediate, and verify. Require a structured report format: executive summary, findings with CVSS/priority, reproducible steps, screenshots/logs (sanitized), and recommended remediation. Implement a remediation tracking workflow with target SLAs and require re-test or verification once fixes are applied.
Example in a Small or Medium Business
A 50-person SaaS company schedules quarterly penetration tests for its customer-facing application. The security lead creates a test intake form that captures scope, objectives, system owners, and whether credentials are provided. They use a standard Rules of Engagement template that prohibits destructive tests and lists business-hours and emergency contacts; before each test, a product manager and CTO sign the RoE. The selected tester receives sanitized production data and an approved tool list; the tester runs an authenticated web-app assessment during a predefined overnight window to limit user impact. After the engagement the tester delivers a report with prioritized findings and remediation steps; the security lead opens tickets in the company issue tracker with SLA targets for remediation. When a critical SQL injection is fixed, the company schedules a follow-up verification test and updates the secure coding checklist to prevent recurrence. Throughout the process all approvals and reports are retained for compliance and to inform the next test cycle.
Summary
By formalizing scope, objectives, rules of engagement, authorization, data protections, tool controls, and remediation workflows, SMBs can meet ECC 2-11-3’s requirement to make penetration testing safe, authorized, and actionable. These policy and technical measures reduce operational risk during tests, ensure findings are traceable and fixed, and create a repeatable process that builds security maturity without disrupting the business.
