Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 2-11-4 – Cybersecurity requirements for penetration testing processes must be reviewed periodically.
Understanding the Requirement
This control requires organizations to establish a periodic, documented review of the cybersecurity requirements that govern penetration testing activities. In practice that means creating an approved review plan with a defined interval (for example, quarterly), coordinating the review between the Cybersecurity function and relevant departments such as IT, updating requirements when laws or systems change, and documenting and obtaining senior approval for any changes. The intent is to ensure penetration testing remains aligned with current risks, legal obligations, and technology environments.
Technical Implementation
- Establish a documented review plan and schedule. Create a written plan that defines the scope (internal apps, external assets, cloud environments), frequency (e.g., quarterly or semi‑annual), roles (owner, reviewers, approver), and the review checklist. Keep the plan versioned in a compliance repository so each review can be tracked.
- Integrate stakeholders and responsibilities. Assign the Cybersecurity function as the review owner and include IT, DevOps, legal/compliance, and application owners. Use short, recurring meetings or a shared calendar to ensure participants complete their portions (risk assessment, asset inventory updates, regulatory change checks).
- Use a mix of manual and automated review channels. Conduct reviews through documented manual processes (email approvals and signoffs) for smaller organizations and leverage a compliance management system or ticketing tool to automate reminders, collect evidence, and record approvals for larger SMBs.
- Update testing requirements on trigger events. Define triggers that force an out‑of‑cycle review: major infrastructure changes (cloud migration, new SaaS), significant code releases, public vulnerability disclosures, or changes to laws/regulations. When triggered, update the testing scope, techniques approved, and any required test windows or escalation paths.
- Document changes and obtain formal approval. Record all review outcomes, decision rationales, and updated requirement documents. Route updates to the head of the organization (or their deputy) for formal approval; keep signed or recorded approvals attached to the requirement artifact to demonstrate governance.
- Measure and iterate. Track metrics such as time between reviews, percentage of required updates implemented, and findings resulting from penetration tests that trace back to outdated requirements. Use these metrics to refine the review cadence and improve clarity in the requirement statements.
Example in a Small or Medium Business
A 65‑employee e‑commerce SMB establishes a quarterly penetration‑testing requirements review led by their security lead. They create a one‑page review plan that lists in‑scope assets (public web app, API, payment integration), the quarterly cadence, participants (security lead, IT operations manager, product owner, and legal counsel), and the review checklist. Each quarter the security lead sends a review packet through their ticketing system that includes the current requirements document, a short change log, recent architecture updates, and any regulatory notices. The IT manager updates the asset inventory and flags recent deployments; legal confirms no new compliance obligations; product flags feature rollouts that change exposure. If the review identifies changes (for example, a new third‑party API integration), the team edits the penetration testing requirements to expand scope and include new test scenarios, then routes the update to the CEO for approval. They attach the CEO's approval to the ticket and schedule the next test window, ensuring the penetration test will reflect the updated requirements and demonstrating a clear audit trail for future reviews.
Summary
Periodic review of penetration testing requirements combines policy controls (a documented review plan, defined stakeholders, and formal approvals) with technical processes (asset inventory updates, automated reminders, and trigger‑based reviews). For SMBs this approach keeps test scope relevant to evolving systems and regulations, provides a clear audit trail showing leadership approval, and reduces the chance that penetration testing misses critical assets or emerging threats. Consistent measurement and incremental improvements close the loop so testing remains effective and defensible over time.
