Compliance and Penetration Testing

Compliance with common security standards (e.g. ISO 27001, NIST, PCI-DSS) may require you to perform specific types of security scanning and testing on a regular basis. Although these types of testing are an important part of a well-managed and mature security and privacy program, they may not in themselves meet Google's requirements.

A common example is PCI-DSS, which requires penetration testing to be performed as part of the compliance requirements. Simply having PCI Compliance does not however mean that the penetration testing that was performed to obtain that compliance meets Google's standards. Specifically, the requirements regarding the scope of systems to test will likely differ between the two approaches. Google also specifically calls out validity periods (12 months) for penetration testing, and calls for testing to be performed in an authenticated and manual fashion.