> series: business_owners_guide —— part: 03/10 —— topic: when_to_test —— status: timing_is_everything<span class="cursor-blink">_</span>_
One of the most common questions we receive from business owners is 'when should we have a penetration test?' The honest answer is that there is rarely a wrong time — but there are specific moments when testing is particularly valuable, and situations where it becomes urgent. Understanding these triggers ensures you commission tests proactively, when they can prevent problems, rather than reactively, after something has already gone wrong.
Prepare for your Cyber Essentials certification with our practical checklist covering all five technical controls.
Several regulatory frameworks and industry standards either mandate or strongly recommend regular penetration testing. If any of the following apply to your organisation, testing is not optional — it is a compliance requirement.
| Requirement | Testing Mandate | Frequency |
|---|---|---|
| PCI DSS | Requirement 11.4 mandates penetration testing for any organisation that stores, processes, or transmits cardholder data. Both external and internal testing are required, and tests must be performed by a qualified professional. | At least annually, and after any significant infrastructure or application change. |
| GDPR / UK GDPR | Article 32 requires 'appropriate technical and organisational measures' to protect personal data, and Article 32(1)(d) specifically requires 'a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures'. The ICO interprets this to include penetration testing. | Regularly — the ICO does not prescribe a specific frequency, but annual testing is widely regarded as the minimum standard. |
| ISO 27001 | Annex A.18.2.3 requires 'technical compliance review' of information systems. While not explicitly mandating penetration testing by name, the standard expects organisations to verify that security controls work in practice — which penetration testing directly addresses. | Aligned with the organisation's risk assessment cycle — typically annually. |
| Cyber Essentials Plus | The Plus certification includes a verified technical assessment — an external vulnerability scan and internal security review conducted by a certified assessor. While not a full penetration test, it verifies that Cyber Essentials controls are implemented correctly. | Annually for certification renewal. |
| FCA / Financial Services | The Financial Conduct Authority expects regulated firms to conduct regular penetration testing as part of their operational resilience obligations. CBEST and TIBER-EU frameworks provide specific threat-intelligence-led testing requirements for larger financial institutions. | At least annually for general testing. CBEST/TIBER cycles as determined by the regulator. |
| NHS / DSPT | The Data Security and Protection Toolkit requires NHS organisations and their suppliers to demonstrate appropriate security testing. Penetration testing is an expected component of the evidence submitted. | Annually, aligned with the DSPT submission cycle. |
Beyond compliance, there are business events that materially change your risk profile and should trigger a penetration test — even if your regular testing cycle has not yet come around.
A penetration test is a point-in-time assessment. It tells you about your security posture on the day the test was conducted — not yesterday, not next month, and certainly not next year. Your environment changes continuously: software is updated, new services are deployed, configurations drift, staff join and leave, and new vulnerabilities are disclosed daily.
This is why annual penetration testing is the widely accepted minimum standard. Annual testing provides a regular checkpoint that catches configuration drift, newly introduced vulnerabilities, and changes that may have inadvertently weakened your security posture. For organisations with higher risk profiles — those handling financial data, healthcare records, or operating critical infrastructure — quarterly or continuous testing may be appropriate.
Schedule your annual penetration test at a consistent time each year — and avoid scheduling it during your busiest trading period. Allow at least four to six weeks after the test for remediation before any compliance deadlines. If your compliance deadline is in March, commission the test in December or January to give yourself time to fix findings and, if necessary, request a retest of critical issues.
Some situations indicate that testing is overdue. If any of the following apply to your organisation, consider commissioning a test as a matter of urgency.
| Warning Sign | What It Means |
|---|---|
| You have never had a penetration test | You have no baseline understanding of your security posture. Vulnerabilities that have existed since your infrastructure was first deployed may still be present and exploitable. Every day without testing is a day those vulnerabilities are available to attackers. |
| Your last test was more than twelve months ago | Your environment has changed since the last test. New vulnerabilities have been disclosed. Configurations have drifted. The results of your last test no longer reflect your current exposure. |
| You do not know what is on your external attack surface | If you cannot confidently list every service, application, and IP address that is visible from the internet, you do not know what attackers can see — and neither does your IT team. An external penetration test begins with reconnaissance and will tell you exactly what is exposed. |
| You rely on a vulnerability scanner and call it a penetration test | A vulnerability scan is not a penetration test. If your compliance evidence or board reports refer to automated scanning as 'penetration testing', your organisation has a false sense of security. |
| You have experienced a breach or near-miss and have not tested since | Without testing after an incident, you cannot be confident that the vulnerability was fully remediated or that the attacker did not leave persistent access mechanisms behind. |
Next week, we tackle one of the most important decisions in the process: how to choose a penetration testing provider. Not all providers are equal, and the difference between a thorough, professional engagement and a box-ticking exercise can be dramatic. We will cover what credentials to look for, what questions to ask, and what red flags to watch out for.
Whether you are overdue for your annual test, launching a new application, or responding to a compliance requirement, we can have a scoping conversation this week and begin testing within days.
Prepare for your Cyber Essentials certification with our practical checklist covering all five technical controls.