CIS Critical Security Controls v8.1 (The 18 CIS CSC)

18.1 Establish and Maintain a Penetration Testing Program
Establish and maintain a penetration testing program appropriate to the size, complexity, industry, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements. 

18.2 Perform Periodic External Penetration Tests
Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box. 

18.3 Remediate Penetration Test Findings
Remediate penetration test findings based on the enterprise’s documented vulnerability remediation process. This should include determining a timeline and level of effort based on the impact and prioritization of each identified finding.

18.4 Validate Security Measures
Validate security measures after each penetration test. If deemed necessary, modify rulesets and capabilities to detect the techniques used during testing.

18.5 Perform Periodic Internal Penetration Tests
Perform periodic internal penetration tests based on program requirements, no less than annually. The testing may be clear box or opaque box.