Penetration Testing for Compliance: PCI DSS, SOC 2, ISO 27001, HIPAA, FedRAMP, and CMMC
What each compliance framework requires, how often to test, what it costs, and what auditors actually want to see in your pentest report.
| Framework | Required? | Frequency | Est. Annual Cost |
|---|---|---|---|
| PCI DSS | Mandatory | Annual + after significant changes | $15,000 - $45,000 |
| SOC 2 | Strongly recommended | Annual | $10,000 - $30,000 |
| ISO 27001 | Best practice (near-mandatory) | Annual minimum | $12,000 - $35,000 |
| HIPAA | Not explicitly mandated, but expected | Periodic (typically annual) | $15,000 - $50,000 |
| FedRAMP | Mandatory | Annual | $30,000 - $80,000 |
| CMMC | Required for Level 2+ | Triennial assessment (annual self-assessment at Level 1) | $25,000 - $60,000 |
PCI DSS v4.0.1
Mandatory - Annual + after significant changes$15,000 - $45,000
Requirement
Requirement 11.4: External and internal penetration testing at least annually and after significant infrastructure or application changes.
Scope
All systems in the Cardholder Data Environment (CDE) and connected systems. Both external and internal network testing. Web application testing for payment-facing apps.
Tester Requirements
Must be performed by a qualified internal resource or qualified external third party. PCI SSC does not mandate specific certifications, but CREST, OSCP, and QSA firms are industry standard.
Key Points
- ✓External pentest must be performed by an independent party
- ✓Internal pentest can be performed by qualified internal staff
- ✓Network segmentation testing required if segmentation controls are used
- ✓Must test after any significant change to CDE
- ✓Quarterly ASV scans required in addition to annual pentest
What Auditors Want to See
Full penetration test report with methodology, findings, CVSS scores, remediation evidence, and retest results. Auditors expect to see a clear scope statement that maps to the CDE.
SOC 2 Type II
Strongly recommended - Annual$10,000 - $30,000
Requirement
Trust Services Criteria CC6.1 and CC7.1: While not explicitly mandating penetration testing, auditors consistently expect annual pentest evidence as part of logical and physical access controls.
Scope
Systems and applications within the SOC 2 trust boundary. Typically includes customer-facing web applications, APIs, and supporting infrastructure.
Tester Requirements
No specific certification required by AICPA. However, most auditors expect testing by a firm with CREST, OSCP, or equivalent credentials.
Key Points
- ✓Not technically mandatory, but auditors almost always expect it
- ✓Test results should map to trust services criteria
- ✓Remediation evidence strengthens the audit outcome
- ✓Can be combined with other compliance testing
- ✓Continuous monitoring controls can reduce pentest scope
What Auditors Want to See
Penetration test report mapping findings to relevant trust services criteria. Evidence of remediation for High and Critical findings. Management response for accepted risks.
ISO 27001 2022
Best practice (near-mandatory) - Annual minimum$12,000 - $35,000
Requirement
Annex A Control 8.8 (Management of Technical Vulnerabilities): Requires organisations to manage technical vulnerabilities. Penetration testing is the industry-standard method for validating vulnerability management effectiveness.
Scope
Systems within the ISMS scope. Typically all production systems, but can be phased based on risk assessment.
Tester Requirements
No specific certification mandated. CREST and CHECK accredited firms are preferred in the UK and internationally.
Key Points
- ✓Certification bodies expect pentest evidence in most audits
- ✓Risk assessment determines which systems to test first
- ✓Can be phased across multiple audit cycles
- ✓Internal audit teams can perform testing if qualified
- ✓Findings feed into the risk treatment plan
What Auditors Want to See
Pentest report with CVSS-scored findings, risk treatment plan showing how findings are addressed, evidence of management review.
HIPAA Security Rule
Not explicitly mandated, but expected - Periodic (typically annual)$15,000 - $50,000
Requirement
45 CFR 164.308(a)(1)(ii)(A): Risk Analysis requirement. While HIPAA does not use the term 'penetration test', the requirement for technical evaluation of security controls is widely interpreted to include penetration testing.
Scope
Systems that create, receive, maintain, or transmit electronic Protected Health Information (ePHI). Includes EHR systems, patient portals, medical devices, and supporting infrastructure.
Tester Requirements
No specific certification required. Familiarity with healthcare IT environments and ePHI handling is essential.
Key Points
- ✓Not explicitly required but widely expected by auditors and regulators
- ✓Average HIPAA fine is $1.5 million, making testing a cost-effective safeguard
- ✓Must cover all systems handling ePHI
- ✓Medical device testing may require specialised expertise
- ✓Results should feed into the required risk analysis documentation
What Auditors Want to See
Penetration test report demonstrating coverage of ePHI systems. Risk analysis documentation showing how findings are treated. Evidence of remediation timeline.
FedRAMP Rev 5
Mandatory - Annual$30,000 - $80,000
Requirement
CA-8: Penetration testing is required as part of the FedRAMP Authorization process. Must be performed by an accredited Third-Party Assessment Organisation (3PAO).
Scope
The entire cloud service offering (CSO) boundary as defined in the System Security Plan (SSP). Includes all components, interconnections, and data flows.
Tester Requirements
Must be performed by an accredited 3PAO (Third-Party Assessment Organisation). 3PAO must hold A2LA or equivalent accreditation.
Key Points
- ✓Mandatory for all cloud service providers serving federal agencies
- ✓Must be performed by an accredited 3PAO, not just any pentest firm
- ✓Results are reviewed by the FedRAMP PMO and authorising official
- ✓High baseline systems require more rigorous testing
- ✓Penetration test must cover the full authorization boundary
What Auditors Want to See
3PAO penetration test report following FedRAMP penetration test guidance. Security Assessment Report (SAR) including pentest findings. Plan of Action and Milestones (POA&M) for unresolved findings.
CMMC 2.0
Required for Level 2+ - Triennial assessment (annual self-assessment at Level 1)$25,000 - $60,000
Requirement
CMMC Level 2 requires implementation of NIST SP 800-171 controls, including CA-8 (Penetration Testing) for organisations handling Controlled Unclassified Information (CUI).
Scope
All systems processing, storing, or transmitting CUI. Includes enclaves, boundary devices, and interconnections with other systems.
Tester Requirements
Level 2 assessments must be performed by a CMMC Third-Party Assessment Organisation (C3PAO). Level 3 assessments are performed by DIBCAC.
Key Points
- ✓Required for defence contractors handling CUI
- ✓Level 2 requires third-party assessment by C3PAO
- ✓NIST SP 800-171 control mapping is essential
- ✓Phased rollout: priority for critical programs
- ✓Penetration testing validates technical control effectiveness
What Auditors Want to See
Penetration test report mapping to NIST SP 800-171 controls. C3PAO assessment report. System Security Plan (SSP) and POA&M documentation.
Multi-Framework Efficiency: Save 30-40%
Many organisations need to satisfy multiple compliance frameworks simultaneously. A well-scoped penetration test can satisfy PCI DSS, SOC 2, and ISO 27001 requirements with a single engagement, saving 30-40% compared to running separate tests for each framework.
Separate Tests
PCI DSS ($20k) + SOC 2 ($15k) + ISO 27001 ($15k)
$50,000/year
Combined Programme
One comprehensive test covering all three frameworks
$30,000-$35,000/year
Your Savings
Reduced tester ramp-up, shared scope, combined reporting
$15,000-$20,000 saved
Cost Calculator
Add compliance to your estimate
Cost by Test Type
Which tests each framework needs
Testing Frequency
Compliance-driven cadence
Choosing a Provider
Certification requirements
For detailed PCI compliance cost data, see PCIComplianceCost.com. For GDPR penalty context, see GDPRFine.com.