← Controls / CA

CA-08 Penetration Testing

Security Assessment and Authorization

High

Description

Conduct penetration testing [Assignment: organization-defined frequency] on [Assignment: organization-defined systems or system components].

Supplemental Guidance

Penetration testing is a type of assessment that is conducted on a system or individual system components to identify vulnerabilities that could be exploited by adversaries. Penetration testing goes beyond automated vulnerability scanning and is conducted by agents and teams with demonstrable skills and experience that include technical expertise in network, operating system, and/or application level security. Penetration testing can be used to validate vulnerabilities or determine the degree of penetration resistance of systems to adversaries.

Changes from Rev 4

No significant changes from Rev 4.

Compliance Mappings

ISO 27001:2022

A.8.34

ISO 27002:2022

8.34

COBIT 2019

MEA04

CIS Controls v8

CIS 16.13CIS 18CIS 18.1CIS 18.2CIS 18.4CIS 18.5

NIST CSF 2.0

ID.IM-02

PCI DSS v4.0.1

11.4

CSA CCM v4

AA-02AIS-05TVM-06

CSA AICM v1

A&A-02AIS-05AIS-13MDS-03TVM-06TVM-12

NIS2 Directive

Art. 21(2)(f)

PRA Operational Resilience

SS1/21-6.1

MAS TRM

13

APRA CPS 234

Para 22-23Para 24

EU DORA

Art.24(1)Art.25(1)Art.26

BIO2

8.34

RBI CSF

Annex1.18ITGRCA.26

LGPD + BCB 4893

BCB.Art.10

HKMA TM-E-1

TME1.7.4

DNB Good Practice

DNB.16.1DNB.16.5DNB.22.1

EU CRA

CRA.I.2aCRA.II.3

SWIFT CSCF

SWIFT.7.3A

SAMA CSF

1.9

NCA ECC

1-82-11

Qatar NIA

OS

CBUAE

CR-10

CBE CSF

OVM-3

SA JS2

JS2-7.7

CBN CSF

Part2.3Part3.8

BoG CISD

CISD-X

BoM CTRM

4.3

IOSCO Cyber Resilience

SA-3TEST-1TEST-2TEST-4

CPMI-IOSCO PFMI

CG.TE

FFIEC IS

II.A.2IV.AIV.A.1IV.A.2IV.A.3

NYDFS 500

500.5

ECB CROE

CROE.2.6.1CROE.2.6.2

EBA ICT Guidelines

3.4.6

SEBI CSCRF

DE.VAVAPT

BOT Cyber Resilience

Ch3.2

CMMC 2.0

CARA

NERC CIP

CIP-010-4

10 CFR 73.54

RG5.71-C-CA

TSA Pipeline SD

SD-1 Sec 3SD-2 Sec G

API 1164

Sec 15

IAEA NSS 17-T

Sec 11

FIPS 140-3

FIPS 140-3 §7.10

CBEST

CBEST.3CBEST.4

TIBER-EU

TIBER.PREPTIBER.RT

Common Criteria

CC Part 3 — SARCEM

ISAE 3402

Clause 6

Lloyd's Minimum Standards

MS8.11MS9.2

NAIC Insurance Data Security

4-monitoring

PRA SS1/23

P4.2P5.4

HITRUST CSF v11

06.c

FDA 21 CFR Part 11

§11.300(e)

FDA Cybersecurity Guidance

CRA-1ST-2

ISO 27799

18.318.4

NHS DSPT

NDG-9.8

CCSS v9.0

1.02.72.01.22.01.32.03.2

BSSC Standards

TIS-02GSP-08GSP-15