What does the CIS Controls Version 8 say about Pen Testing?

Independent penetration testing provides critical objective insights about vulnerabilities in organizational defenses and mitigating controls. As part of a comprehensive, ongoing security improvement, pen tests are required by recognized cybersecurity frameworks including CIS, PCI Security Standards, NIST (SP800-115) and OWASP.  

Released in May 2021, The Center for Internet Security (CIS) Critical Security Controls Version 8 Control 18 addresses penetration testing. According to CIS Control 18, it is critical to test an organization's resiliency by identifying and exploiting controls' weaknesses and simulating a real-world attacker's actions. 

Why Should you Perform Pen Testing? – Convince, Verify and Validate 

Outside the fact that most organizations are required by law or regulation to perform periodic testing, often pen tests are done for one of the following specific reasons: 

  1. As a demonstration to convince decision-makers of a need to address weaknesses  
  2. To verify the correct operation of the organization's defenses 
  3. Or to validate that the organization built the proper protection in the first place. 

Vulnerability Testing versus Penetration Testing 

Though often (incorrectly) used interchangeably, vulnerability and pen testing are not the same. Useful as a starting point, vulnerability tests (or scans) generally use automated tool kits to identify and score known vulnerabilities in the system under test. Pen testing leverages human cunning to go further and exploit weaknesses to see how far an attacker could get and what data and business processes might be impacted by the attack. 

Reconnaissance and Scoping 

Your organization should define a clear scope and rules of engagement for penetration testing. The project scope should include high-value assets and lower-value systems that may be used as pivot points to compromise higher-value targets. An often-overlooked step is to conduct an attack surface analysis to better understand your actual attack surface down to the last vulnerable server. It is crucial to make sure you discover all in-scope assets versus relying on a static list, which might be (is probably) outdated or incomplete. 

For more information on the value of Attack Surface Analysis, please read our blog 'Combating feedback loops with Attack Surface Analysis.' 

CIS v8, Control 18: 

18.1 Establish and Maintain a Penetration Testing Program 

Establish and maintain a penetration testing program appropriate to your organization's mission, size, complexity, and maturity. The Penetration testing scope could include network, web application, Application Programming Interface (API), hosted services, and physical premise controls. 


18.2 Perform Periodic External Penetration Tests 

Perform periodic external penetration tests no less than annually. External penetration testing must include reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party.  

18.3 Remediate Penetration Test Findings 

18.4 Validate Security Measures 

18.5 Perform Periodic Internal Penetration Tests 

CIS Recommended Guidance 

For further examination of the topic, CIS recommends the following resources as compatible guidance on penetration testing methodology and standards practice: 

  • PCI Security Standards Council, Penetration Testing Guidance 
  • OWASP Penetration Testing Methodologies 
  • NIST SP800-115, Technical Guide to Information Security Testing and Assessment 

Standards like the PCI offer rigorous guidance on penetration testing components, methodologies, reporting, and documentation.  

Qualifications of a Pen Tester 

According to the PCI SSC standard, the tester must have an independent perspective, whether internal or external resources. For example, they are ineligible to perform a pen test if they were involved in installing, maintaining or managing target systems. Additional guidelines when considering testers are: 

  • Professional certifications including CISSP, OSCP, OSWP, CPT & CEH 
  • Do they follow a standards framework-based methodology? 
  • Experience
    • How many years has the organization they work for been pen testing?
    • How many years does the tester have as a pen tester?
    • Has the tester done work for organizations similar to yours?What technologies and unique advantages can they offer? 

The Inherent Risks of Penetration Testing 

Penetration tests are expensive, complex, and potentially introduce their own risks. Therefore, it would be best if you only relied on experienced people from reputable vendors to conduct them. In addition, the output of a testing report needs to be protected because it gives step-by-step instructions on how to break into the target assets. 

CIS Controls 

The CIS Controls reflect the combined knowledge of actual attacks and effective defenses of experts across the ecosystem. According to experts, the CIS Controls are the most effective and specific technical measures available to detect, prevent, respond, and mitigate damage from the most common to the most advanced attacks. 

Evaluating yourself against the CIS Controls is a starting point that an enterprise can use for immediate, high-value action. In addition, CIS is demonstrably consistent with other formal risk management frameworks and provides a basis for standard action across diverse industries. 

For more information, please read our blogs on CIS Controls Security Framework and System Hardening using CIS Benchmarks. 

Why Truvantis 

As proud members of CIS and front-line cybersecurity veterans, Truvantis can help you to create a robust security foundation that complies with the CIS Controls standard. 

Our CIS Controls Gap Analysis comprehensively assesses your system against this standard. In addition, we offer a vast array of security products and services to help you achieve the CIS Controls standard with custom recommendations that are right for your business.   

Contact Truvantis today to learn more about the CIS Controls and CIS Benchmarks for your business. 

Truvantis is a cybersecurity and privacy consulting organization with comprehensive expertise in implementing, testing, auditing, and operating information security programs. We specialize in helping our clients improve their cybersecurity and privacy posture through practical, effective, and actionable programs—balancing security, technology, business impact, and organizational risk tolerance. Contact us to get started today. 

Contact Us
Consult with a CIS Controls expert to find out how to use this framework to manage your risk.
Schedule a call
Contact Us