CIS Control 18.2: Perform Periodic External Penetration Tests
External penetration testing is your organization's annual reality check against real-world attackers. CIS Control 18.2 requires conducting qualified penetration tests at least yearly to identify exploitable vulnerabilities before adversaries do. For SMBs with limited security budgets, understanding and documenting these tests is critical for compliance and risk reduction.
What this means
This control mandates that you conduct external penetration tests—simulated attacks by qualified security professionals—at minimum annually to evaluate your external security posture. These tests must include reconnaissance activities to identify exploitable information about your enterprise and environment. The key requirement is using a qualified, experienced party with specialized penetration testing skills, not relying on internal resources or unqualified vendors.
How to comply
- 1.Establish a penetration testing schedule requiring tests at minimum annually, with more frequent testing for high-risk environments
- 2.Define scope to include external reconnaissance of enterprise systems, networks, and environmental information exposure
- 3.Select a qualified external penetration testing vendor with demonstrated expertise, certifications (OSCP, GPEN), and relevant experience
- 4.Document test objectives, scope, authorized targets, and rules of engagement before testing begins
- 5.Ensure testing includes both active attacks and passive reconnaissance to simulate real adversary tactics
- 6.Collect and review detailed findings, including vulnerability severity, exploitability, and business impact
- 7.Develop remediation plans prioritizing critical and high-severity findings with target closure dates
- 8.Track remediation progress and validate fixes through retesting or follow-up assessments
- 9.Maintain documentation of all tests, findings, and remediation efforts for audit and compliance purposes
Evidence auditors look for
- Annual penetration test reports signed by qualified external security firm
- Penetration testing contracts specifying scope, methodology, and qualifications
- Test authorization documentation and signed rules of engagement
- Executive summaries showing test dates, vulnerabilities found, and severity ratings
- Remediation tracking logs with vulnerability IDs, findings, and closure evidence
- Follow-up test reports validating that critical findings were remediated
- Management sign-off on penetration testing program and annual schedule
- Evidence of retesting after major infrastructure or application changes
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates penetration test scheduling, evidence collection, and remediation tracking so you can demonstrate CIS 18.2 compliance without manual spreadsheets.
See how GRCWatch handles this control automatically
Start free trial