{"id":21875,"date":"2025-04-24T10:00:00","date_gmt":"2025-04-24T08:00:00","guid":{"rendered":"https:\/\/defenderbox.de\/?p=21875"},"modified":"2025-08-08T14:28:31","modified_gmt":"2025-08-08T12:28:31","slug":"bvd-2","status":"publish","type":"post","link":"https:\/\/defenderbox.de\/en\/bvd-2\/","title":{"rendered":"DEFENDERBOX in the BvD News"},"content":{"rendered":"
\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

Penetration testing in regulatory and normative specifications\u00a0<\/h2>\n

<\/p>\n

Cybersecurity is becoming increasingly important<\/strong> - especially when it comes to detecting vulnerabilities in company networks or cloud-based systems at an early stage.<\/p>\n

Measures such as vulnerability analyses and penetration tests (pentests) play a central role here. In many cases, such tests not only make sense, but are even required by law or standards.<\/p>\n

In the BvD News from March 31, 2025<\/a> Ralf Zlamal and Markus Schulte provide an overview of the most important requirements and specifications.<\/p>\n

Regular specifications<\/h2>\n

DS-GVO<\/strong><\/p>\n

The General Data Protection Regulation (GDPR) does not require a direct obligation to carry out vulnerability and pentests. However, an indirect obligation can certainly be derived in various places.<\/p>\n

Art. 5 requires controllers or companies to protect personal data from unauthorized access, loss or destruction. Art. 24 requires the controller or company to take appropriate technical and organizational measures (TOMs) to comply with the requirements of the GDPR. Art. 25 requires the protection of personal data through technology design.<\/p>\n

Strictly speaking, IT systems must be designed in such a way that personal data is protected by default.<\/p>\n

NIS-2 Directive<\/strong><\/p>\n

According to the federal government's current draft (note: in Germany, approval by the Bundestag was still pending at the time the article was published), companies that fall under the NIS-2 Directive<\/a> are increasingly concerned with this topic. Even if the NIS-2 Directive does not contain a direct requirement for vulnerability and pentests, the requirements can be found indirectly in Art. 21 of the NIS-2 Directive. Paragraph 2 states that companies must \"implement appropriate and proportionate technical, operational and organizational risk mitigation measures\".<\/p>\n

\"Cyber hygiene measures and procedures to test and evaluate the effectiveness of measures to address cybersecurity risks\" are required (Art. 21 para. 2 (f)). This can only be achieved with regular Vulnerabilities and security tests<\/a> be guaranteed.<\/p>\n

Art. 34 (Sanctions) must be taken into account in this context. This stipulates that fines can be imposed on both significant and important institutions or companies if they violate Art. 21.<\/p>\n

DORA<\/strong><\/p>\n

In our opinion, the Digital Operational Resilience Act (DORA) contains specific requirements for vulnerability and pentests for financial companies and their IT service providers. The requirements can be derived from Articles 10, 17, 23, 25 and 26. Among other things, the companies concerned should have mechanisms in place to detect anomalous activities immediately and identify potential individual material vulnerabilities.<\/p>\n

ISO 27001\/27002<\/strong><\/p>\n

In Chapter 6.1.3, ISO 27001 requires organizations or companies to assess risks and implement suitable measures. Both vulnerability and Pentests<\/a> can be regarded as suitable measures here.<\/p>\n

Chapter 8.1 requires that the implemented security measures should be reviewed regularly when operating the ISMS. This includes regular tests to identify technical vulnerabilities.<\/p>\n

Chapter 5.31 of ISO 27002 contains the recommendation that companies should regularly check compliance with security requirements. Chapter 8.8 contains the requirement for regular identification and assessment of vulnerabilities.<\/p>\n

Chapter 8.16 calls for the regular review of the security of IT systems. Vulnerability scans and penetration tests are also a suitable tool here.<\/p>\n

TISAX<\/strong><\/p>\n

The TISAX (Trusted Information Security Assessment Exchange) security standard developed by the German Association of the Automotive Industry (VDA) is very closely aligned with the requirements of ISO 27001\/27002.<\/p>\n

The requirements derived from ISO 27001\/27002 are supplemented by requirements specific to the automotive industry, including the handling of prototypes.<\/p>\n

Section 5.2.6 describes the implementation of pentests and vulnerability scans when a very high level of protection is required as a suitable means of ensuring these requirements and the associated verifiability.<\/p>\n

For new or further developed IT systems, Chapter 5.3.1 mentions the implementation of penetration tests as an appropriate measure if the company has to meet the requirement of a very high need for protection.<\/p>\n

Possibilities of technical implementation<\/h2>\n

The vulnerability and pentests mentioned above are therefore essential measures to ensure compliance with the above-mentioned requirements from various legal and normative specifications. They simulate attacks and help to identify security vulnerabilities before attackers can exploit them.<\/p>\n

For such tests to be of sufficient quality, the following criteria should be met:<\/p>\n

Coverage of the security scans (tests):<\/h3>\n

The security scans should cover all relevant areas of the IT infrastructure:<\/strong><\/p>\n