CIS Control 18.5: Perform Periodic Internal Penetration Tests
Internal penetration testing is a critical control that identifies vulnerabilities before attackers do. CIS Control 18.5 requires organizations to conduct penetration tests at least annually using either clear box or opaque box methodologies. For SMBs managing limited security teams, establishing a consistent testing cadence and documenting results is essential to demonstrate a mature vulnerability management program.
What this means
This control mandates conducting simulated attacks from inside your network at least once per year to uncover exploitable weaknesses in systems, applications, and security controls. Organizations can choose between clear box testing (testers have system knowledge) or opaque box testing (testers have minimal information), or combine both approaches. The goal is to identify and remediate vulnerabilities before malicious actors exploit them, strengthening your overall security posture.
How to comply
- 1.Establish a formal penetration testing program with documented scope, methodology, and frequency (minimum annually)
- 2.Define testing parameters: choose clear box, opaque box, or hybrid approach based on risk assessment
- 3.Select qualified internal staff or engage third-party penetration testing firms
- 4.Schedule tests to avoid business disruption and ensure adequate remediation time
- 5.Document all findings, severity levels, and affected systems in a centralized repository
- 6.Create and track remediation plans with assigned owners and target resolution dates
- 7.Verify fixes through retesting before closing findings
- 8.Report results to executive leadership and security stakeholders
- 9.Maintain evidence of testing (scope documents, reports, remediation records) for compliance audits
Evidence auditors look for
- Penetration testing reports with dates, scope, methodology, and findings documented
- Clear box vs. opaque box testing evidence showing varied testing approaches
- Remediation tracking logs showing vulnerabilities identified and fixes implemented
- Retesting reports confirming successful closure of previous findings
- Annual testing schedule and calendar showing recurring penetration test dates
- Third-party penetration testing contracts or statements of work
- Executive summaries presented to leadership demonstrating testing results and trend analysis
- Signed-off remediation plans with timelines and responsible parties
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates penetration testing evidence collection and remediation tracking, centralizing test reports, findings, and fix verification in one compliant repository so your team spends less time on documentation and more time on security improvements.
See how GRCWatch handles this control automatically
Start free trial