Implementation Actions
- Define risk-based test scope.
- Run periodic tests and retests.
- Feed results into architecture and controls backlog.
CIS Controls v8
CIS 18 Penetration Testing
Starts in IG3 | Validate defensive effectiveness through adversarial testing.
Evidence Examples
- Test scope and reports
- Retest evidence
- Residual risk records
Suggested Metrics
- Critical finding closure rate
- Recurring finding trend