Security Testing That Satisfies Auditors and Protects the Business

PCI-DSS v4.0 Requirement 11.3 mandates annual external and internal penetration testing of all systems that store, process, or transmit cardholder data (CHD), as well as segmentation verification to confirm that out-of-scope systems cannot reach the cardholder data environment (CDE).

Our PCI-DSS assessments cover:

• External penetration test of all internet-facing CDE components
• Internal penetration test simulating an insider or compromised-system scenario
• Network segmentation verification — confirming CDE isolation from out-of-scope segments
• Application-layer testing of all payment applications within scope
• Written report formatted for your Qualified Security Assessor (QSA)
• Remediation re-test to confirm findings are addressed before audit

All testing methodology aligns to the PCI Security Standards Council's Penetration Testing Guidance and the CREST methodology.

SOC 2 Type II audits assess whether security controls were operating effectively over a defined observation period — typically 6 or 12 months. Penetration testing is increasingly required by SOC 2 auditors as evidence that the Common Criteria related to logical access, change management, and risk mitigation are functioning as intended.

Our SOC 2 assessment covers:

• Common Criteria (CC) mapping — CC6 (Logical Access), CC7 (System Operations), CC8 (Change Management)
• Trust Service Principles: Security, Availability, Confidentiality, Processing Integrity, Privacy
• External and internal network penetration testing
• Web application testing for customer-facing and internal systems
• Access control and authentication control validation
• Findings report formatted with SOC 2 criterion references for your auditor

ISO 27001:2022 Annex A includes 93 controls across four themes: Organisational, People, Physical, and Technological. The Technological controls — particularly those relating to secure configuration, network security, application security, and vulnerability management — require active technical testing to provide genuine evidence of effectiveness.

Our ISO 27001 assessment covers:

• Annex A.8 Technological Controls — network, endpoint, and application security
• Clause 6.1.2 risk assessment — identifying and validating technical risks
• Vulnerability assessment and penetration testing per control A.8.8
• Technical gap analysis against all applicable Annex A controls
• Findings mapped to specific control references for ISMS documentation
• Evidence packages suitable for certification audit submissions

HIPAA's Security Rule (45 CFR Part 164) requires covered entities and business associates to implement technical safeguards protecting electronic Protected Health Information (ePHI). While HIPAA does not mandate penetration testing by name, the Office for Civil Rights (OCR) expects risk assessments to include technical evaluation of safeguards — and breach investigations routinely cite absent penetration testing as evidence of inadequate safeguards.

Our HIPAA assessment covers:

• Identification and scoping of all ePHI systems and data flows
• Technical safeguard testing — access controls, audit controls, transmission security
• Network segmentation between ePHI systems and general corporate systems
• Workstation and server vulnerability identification
• Risk analysis documentation aligned to OCR guidance
• Findings report structured for HIPAA risk management plan integration

Canada's federal private sector privacy law, PIPEDA, and the forthcoming Consumer Privacy Protection Act (CPPA, Bill C-27) require organisations to protect personal information using security safeguards appropriate to the sensitivity of the data. The Office of the Privacy Commissioner of Canada (OPC) has cited insufficient technical safeguards in the majority of significant breach investigations it has concluded.

As a Toronto-based practice, we have direct experience with Canadian privacy obligations. Our PIPEDA assessment covers:

• Mapping personal information flows and storage locations
• Technical safeguard testing of all systems processing personal data
• Access control and data minimisation control validation
• Breach notification readiness assessment
• Cross-border data transfer technical controls review
• Findings aligned to OPC guidance and the 10 Fair Information Principles

The NIST Cybersecurity Framework 2.0 organises cybersecurity activities across six Functions: Govern, Identify, Protect, Detect, Respond, and Recover. Technical penetration testing directly validates the Protect and Detect functions, while findings inform the Identify (asset and risk) and Govern (risk management) functions.

Our NIST CSF assessment covers:

• Protect (PR) — access control, data security, platform security, technology resilience
• Detect (DE) — continuous monitoring, adverse event analysis
• Identify (ID) — asset management and risk assessment validation
• Penetration testing of prioritised attack surfaces per your CSF profile
• Findings mapped to NIST CSF subcategories and Informative References
• Current Profile to Target Profile gap analysis with remediation prioritisation

The CIS Controls v8.1 provide a prioritised set of 18 controls mapped to three Implementation Groups (IGs) by organisational maturity and risk profile. IG1 covers essential cyber hygiene; IG2 adds controls for organisations with moderate risk exposure; IG3 applies to organisations facing sophisticated adversaries. Technical penetration testing is the most reliable way to validate whether CIS Controls are functioning as intended.

Our CIS Controls assessment covers:

• IG1 baseline validation — inventory, patching, access control, email, browser defences
• IG2 additions — data protection, secure configuration, audit log management, network monitoring
• IG3 additions — penetration testing (CIS Control 18), application software security, incident response
• Findings mapped to specific CIS Control and Sub-Control references
• Implementation Group gap analysis with prioritised remediation roadmap