GRCWatch
Sign inStart free trial

CIS Control 18.1: Establish and Maintain a Penetration Testing Program

Penetration testing is your organization's stress test for cybersecurity. CIS Control 18.1 requires you to build a structured program that regularly validates your defenses through simulated attacks. For SMBs, this means creating a realistic roadmap that fits your budget and complexity.

What this means

CIS Control 18.1 requires enterprises to develop and sustain a formal penetration testing program scaled to organizational size, technical complexity, and security maturity. The program must include a documented roadmap defining planned testing activities, scope, frequency, and success metrics—all designed to measure how effectively your security controls actually perform against real-world attack scenarios. This isn't a one-time assessment; it's an ongoing practice that evolves with your threat landscape.

How to comply

  1. 1.Define penetration testing scope based on your organization's size, critical assets, and risk profile
  2. 2.Create a multi-year roadmap documenting planned testing activities, frequency (annual minimum), and target systems
  3. 3.Select qualified testers (internal team, managed security providers, or third-party firms) with appropriate certifications
  4. 4.Establish testing rules of engagement, approval workflows, and communication protocols before each engagement
  5. 5.Conduct penetration tests across applications, infrastructure, and social engineering vectors aligned to your roadmap
  6. 6.Document findings in a standardized format with severity ratings, remediation recommendations, and remediation timelines
  7. 7.Track remediation progress and re-test fixed vulnerabilities to validate security improvements
  8. 8.Report results to leadership quarterly and adjust your roadmap based on findings and emerging threats

Evidence auditors look for

  • Penetration testing roadmap document showing 12-24 month planned activities and target systems
  • Annual penetration test reports from qualified third-party testers with scope, findings, and severity ratings
  • Remediation tracking spreadsheet showing vulnerabilities identified, assigned owners, due dates, and closure evidence
  • Board-level summary reports demonstrating trends in findings and security posture improvements
  • Rules of engagement and testing agreements signed by testers and authorized stakeholders
  • Evidence of re-testing for critical and high-severity findings with closure documentation
  • Internal testing logs if using in-house security team, including methodology and tools used

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates penetration testing roadmap management, tracks remediation timelines for discovered vulnerabilities, and generates evidence reports for auditors—eliminating spreadsheet chaos and ensuring no findings fall through the cracks.

See how GRCWatch handles this control automatically

Start free trial

Related controls

CIS 18.2 — Perform Regular Red Team ExercisesCIS 18.3 — Remediate Penetration Test FindingsNIST CSF ID.RA-3 — Risk AssessmentISO 27001 A.14.2.1 — Vulnerability Assessments