Penetration testing frequency
I was just curious if either ISO 27001 and/or NIST controls specify the frequency for which (network and/or application) penetration testing should be performed?
Assign topic to the user
Neither ISO 27001 nor NIST controls define frequency for penetration testing, but a good start to define pen testing periodicity would be these criteria:
- results of previous penetration tests
- importance and related risks to the processes/systems that will be part of the penetration test's scope
This article will provide you further explanation about penetration tests:
- How to use penetration testing for ISO 27001 A.12.6.1 https://advisera.com/27001academy/blog/2016/01/18/how-to-use-penetration-testing-for-iso-27001-a-12-6-1/
Comment as guest or Sign in
Oct 11, 2019