GASP: AICF

Search controls

Search by control ID, name or domain

INF-011 Penetration Testing

Tier 2+

Description

Independent penetration testing of production systems, APIs, and infrastructure is conducted at a defined frequency (at least annually) and after significant architectural changes. Findings are tracked and remediated within defined timelines. Test scope and methodology are documented.

Rationale

Automated scanning misses logic flaws and chained vulnerabilities. Independent penetration testing validates the effectiveness of technical controls under adversarial conditions.

Framework Mappings (3)

CSA CCM v4.1
TVM-07Penetration Testingfull
NIST SP 800-53 Rev 5
CA-7Continuous Monitoringpartial
SOC 2
CC7.1Detection and Monitoring Procedurespartial

Evidence (2)

certificationmanual

Most recent penetration test report from an independent testing firm, covering production systems, APIs, and infrastructure.

Example: Penetration test report (full version, not executive summary only) from an independent testing provider, dated within the last 12 months, showing test scope, methodology, findings by severity, and remediation status

Test: Request the most recent penetration test report and the remediation tracking register. Verify: (1) the test was conducted by an independent party (external firm or independent internal team); (2) scope covers production APIs, web applications, and network infrastructure; (3) methodology is documented (e.g., PTES, OWASP, CREST); (4) all critical and high findings have a documented remediation record or accepted exception.

recordmanual

Penetration test finding remediation record showing tracked closure of vulnerabilities identified in the most recent test.

Example: Jira or equivalent tracking export showing all penetration test findings, linked to the test report reference, with severity, status (open/closed), and closure date

Test: Request the remediation tracking records for the last two penetration test cycles. Verify: (1) all critical findings have been remediated or have a documented risk acceptance with approver; (2) remediation was completed within the timelines specified in the penetration testing policy; (3) a re-test or evidence of fix was obtained for critical and high findings.

Questions (2)

boolean

Is independent penetration testing of production systems, APIs, and infrastructure conducted at least annually and after significant architectural changes?

Testing must be conducted by an independent party — either an external firm or an internal red team independent from the systems under test. The test report should be available on request.

select

Which of the following best describes the scope and approach of your most recent penetration test?

External firm, full-scope test covering web applications, APIs, infrastructure, and internal networkExternal firm, scoped test covering external-facing APIs and web applications onlyInternal team (independent from systems under test), full scopeBug bounty programme only — no structured penetration testPenetration test not conducted in the last 12 months

A full-scope external test is the gold standard. At minimum, production APIs and public-facing web applications should be in scope. Bug bounty alone does not satisfy this requirement.