Our free webinar on network security will take place on 17.06.2025 at 16:00. Find out more now.

DEFENDERBOX Simple. Fast. Cybersecure.
+ 0 Security scans
make the DEFENDERBOX trustworthy.

DEFENDERBOX in the BvD News

Penetration testing in regulatory and normative specifications 

Cybersecurity is becoming increasingly important — especially when it comes to detecting vulnerabilities in company networks or cloud-based systems at an early stage.

Measures such as vulnerability analyses and penetration tests (pentests) play a central role here. In many cases, such tests not only make sense, but are even required by law or standards.

In the BvD News from March 31, 2025 Ralf Zlamal and Markus Schulte provide an overview of the most important requirements and specifications.

Regular specifications

DS-GVO

The General Data Protection Regulation (GDPR) does not require a direct obligation to carry out vulnerability and pentests. However, an indirect obligation can certainly be derived in various places.

Art. 5 requires controllers or companies to protect personal data from unauthorized access, loss or destruction. Art. 24 requires the controller or company to take appropriate technical and organizational measures (TOMs) to comply with the requirements of the GDPR. Art. 25 requires the protection of personal data through technology design.

Strictly speaking, IT systems must be designed in such a way that personal data is protected by default.

NIS‑2 Directive

According to the federal government’s current draft (note: in Germany, approval by the Bundestag was still pending at the time the article was published), companies that fall under the NIS‑2 Directive are increasingly concerned with this topic. Even if the NIS‑2 Directive does not contain a direct requirement for vulnerability and pentests, the requirements can be found indirectly in Art. 21 of the NIS‑2 Directive. Paragraph 2 states that companies must “implement appropriate and proportionate technical, operational and organizational risk mitigation measures”.

“Cyber hygiene measures and procedures to test and evaluate the effectiveness of measures to address cybersecurity risks” are required (Art. 21 para. 2 (f)). This can only be achieved with regular Vulnerabilities and security tests be guaranteed.

Art. 34 (Sanctions) must be taken into account in this context. This stipulates that fines can be imposed on both significant and important institutions or companies if they violate Art. 21.

DORA

In our opinion, the Digital Operational Resilience Act (DORA) contains specific requirements for vulnerability and pentests for financial companies and their IT service providers. The requirements can be derived from Articles 10, 17, 23, 25 and 26. Among other things, the companies concerned should have mechanisms in place to detect anomalous activities immediately and identify potential individual material vulnerabilities.

ISO 2700127002

In Chapter 6.1.3, ISO 27001 requires organizations or companies to assess risks and implement suitable measures. Both vulnerability and Pentests can be regarded as suitable measures here.

Chapter 8.1 requires that the implemented security measures should be reviewed regularly when operating the ISMS. This includes regular tests to identify technical vulnerabilities.

Chapter 5.31 of ISO 27002 contains the recommendation that companies should regularly check compliance with security requirements. Chapter 8.8 contains the requirement for regular identification and assessment of vulnerabilities.

Chapter 8.16 calls for the regular review of the security of IT systems. Vulnerability scans and penetration tests are also a suitable tool here.

TISAX

The TISAX (Trusted Information Security Assessment Exchange) security standard developed by the German Association of the Automotive Industry (VDA) is very closely aligned with the requirements of ISO 2700127002.

The requirements derived from ISO 2700127002 are supplemented by requirements specific to the automotive industry, including the handling of prototypes.

Section 5.2.6 describes the implementation of pentests and vulnerability scans when a very high level of protection is required as a suitable means of ensuring these requirements and the associated verifiability.

For new or further developed IT systems, Chapter 5.3.1 mentions the implementation of penetration tests as an appropriate measure if the company has to meet the requirement of a very high need for protection.

Possibilities of technical implementation

The vulnerability and pentests mentioned above are therefore essential measures to ensure compliance with the above-mentioned requirements from various legal and normative specifications. They simulate attacks and help to identify security vulnerabilities before attackers can exploit them.

For such tests to be of sufficient quality, the following criteria should be met:

Coverage of the security scans (tests):

The security scans should cover all relevant areas of the IT infrastructure:

  • External: External systems such as web applications, VPNs and public servers that are accessible to attackers.
  • Internal: Internal networks and systems that may be compromised by an insider or after a successful intrusion.
  • Darknet: Checking data that is sold or distributed on the darknet to detect possible leaks.


Broad coverage of security gaps

  • Vulnerability analysis: Automated tools scan systems for known security vulnerabilities, outdated software or misconfigurations.
  • Penetration tests: Here, an active attempt is made to exploit vulnerabilities in order to check the actual exploitability and simulate realistic attack scenarios.
  • High quality through consistent execution. The use of standardized and repeatable test frameworks such as MITRE ATT&CK® ensures consistent and comparable test quality. This approach supports the continuous improvement of the security situation and enables precise measurement of progress.

Automation to reduce costs

Automated vulnerability and pentests offer a cost-effective way of regularly identifying security gaps. Tools such as Nessus or NodeZero® enable fast and scalable security scans. However, they should be supplemented by manual pentests to cover complex attack vectors.

Support from cybersecurity experts

Ideally, vulnerability and pentests should be accompanied by experienced cybersecurity experts in order to correctly interpret the results and develop measures to minimize risk. This can be done by internal experts. External experts can also offer new perspectives on existing systems.

Documentation of regular implementation

The documentation should describe the scope of the systems tested, the quality of the weaknesses identified and the measures taken to rectify them.

Thorough recording is important for the traceability of measures in order to document that legal requirements have been met and IT security is continuously improved.

Conclusion

The regular and systematic implementation of penetration and vulnerability tests is essential if the risks of a cyberattack are to be minimized in the long term and companies want to strengthen their cyber resilience. Companies must not only carry out appropriate security scans and checks, but also document the results in a comprehensible manner and integrate them into their future security strategy.

It should be noted that this should not just be a one-off or time-related safety monitoring, but a regular safety monitoring.

Source: BvD News 01/2025

Try it out — order yours now! Test installation.

Simple. Fast. Cybersafe.

news   home page 
 

Do you want to know how secure your company is?

Try it out! Click here for a test installation of DEFENDERBOX. The trial offer has been extended until June 30, 2025!

Test now
Managed Security Service
DEFENDERBOX Simple. Fast. Cybersecure.

The DEFENDERBOX protects your IT like an invisible bouncer — just plug it in and hackers stay out! 

PRODUCT

COMPANY

Contact us

© 2025 All Rights Reserved DEFENDERBOX

Linkedin
en_USEN
de_DEDE en_USEN
Cookie Consent with Real Cookie Banner