How Often Should We Conduct a Penetration Test?
There are really no specific rules regarding when and how often an organization should conduct a penetration test. Testing frequency is based on many factors such as regulatory compliance obligations, the value of the information needing protection, the objectives and type of security problem under assessment, major changes to the environment, the size of the organization, and the type of support and budget for these activities.
You can use the following guidelines to determine how frequently to conduct penetration testing:
• If you have never conducted a penetration test and want to protect valuable assets, conduct a comprehensive test as soon as possible.
• If you have conducted your first penetration test, plan to conduct penetration tests annually or after any major infrastructure change.
• If a penetration test identifies critical vulnerabilities, retest after remediation is complete.
• If you conduct a security risk assessment, conduct a penetration test at the same time.
• If you want to address specific security concerns, schedule targeted penetrations tests either quarterly or semiannually.