// NEXUSVOID RESEARCH & ANALYSIS
<- ALL RESEARCH & ANALYSIS
NexusVoid AI Research
Does SOC 2, ISO 27001, or PCI DSS Require a Penetration Test?
PCI DSS explicitly requires penetration testing; SOC 2, ISO 27001, and HIPAA do not name it but expect it in practice. A framework-by-framework answer on where a pentest is mandatory versus strongly expected.
VAPT, penetration testing, SOC 2, ISO 27001, PCI DSS, HIPAA, compliance
RESEARCH · Reference. Based on published framework requirements; primary sources linked. Not legal advice.
The short answer: PCI DSS explicitly requires penetration testing. SOC 2, ISO 27001, and HIPAA do not name it, but in practice you will struggle to pass an audit or close an enterprise deal without one. Here is what each framework actually says, and where a pentest is mandatory versus strongly expected.
PCI DSS — explicitly required
This is the one framework that says it outright. PCI DSS v4.0 Requirement 11.4 mandates internal and external penetration testing at least once every twelve months and after any significant infrastructure or application change. Service providers must also test segmentation controls every six months. If you handle cardholder data, a pentest is not optional.
SOC 2 — not named, expected in practice
SOC 2 is built on the AICPA Trust Services Criteria, which are outcome-based rather than a checklist, so no clause says "run a pentest." But the monitoring and risk criteria (CC4 and CC7) push toward independent testing of your controls, and most auditors and enterprise customers expect a recent penetration test as evidence. Without one, expect questions in both the audit and the sales security review.
ISO 27001 — implied through Annex A
ISO/IEC 27001:2022 does not mandate a pentest by name either, but Annex A control 8.8, technical vulnerability management, together with the standard's risk-based approach, makes penetration testing the usual way organizations evidence that their controls actually work. Certification auditors routinely expect it.
HIPAA — recommended, risk-driven
The HIPAA Security Rule requires a risk analysis (45 CFR 164.308) but stops short of mandating penetration testing. Guidance from HHS and NIST SP 800-66 treats a technical evaluation, which a pentest satisfies, as a recommended part of demonstrating due diligence. Not required, but strongly advisable.
The bottom line
PCI DSS: Required, at least annually and after significant change (Req 11.4).
SOC 2: Not named, but expected by auditors and customers.
ISO 27001: Not named, expected as evidence for Annex A 8.8.
HIPAA: Not required, recommended as part of the risk analysis.
Caveats
Framework versions change, PCI DSS is on v4.0.1 and ISO 27001 on its 2022 revision, and your assessor's interpretation is what ultimately governs your audit. Treat this as a map, not a substitute for your QSA, auditor, or counsel.
Where this fits
If you need a penetration test for an audit or a customer's security review, that is exactly what our VAPT produces: an independent test and a report you can map to the framework you are being held to.
DATA SOURCES
PCI DSS v4.0 (PCI SSC); AICPA Trust Services Criteria; ISO/IEC 27001:2022; HIPAA Security Rule (45 CFR 164.308) and NIST SP 800-66
// FROM THE LAB
Pentesting is easy and affordable now.
Continuous VAPT you can run every month, with a report built for AI-built apps.
RUN A VAPT ->
// CYBER NETWORK
Shape the next analysis.
A curated network of security practitioners who help set our research agenda. By application.
APPLY TO JOIN ->
Get new research first
We publish original analysis and experiments on how attackers actually move. Follow along:
PAGE CONTENTS
RECENT POSTS
VIEW ALL RESEARCH ->