On a high level:
SOC 2 & ISO 27001: Required or at least strongly recommended by reputable audit firms, including Thoropass Compliance and others.
If you are working toward your SOC 2 Type 1 attestation, you are not required to perform a penetration test but must ensure that testing is outlined in your Assessment, Authorization, and Monitoring Policy and Procedures documents. (We encourage you to include pentesting in your policies and procedures as a best practice, regardless of the framework you're working toward.)
PCI DSS, HITRUST, & FedRAMP: Explicitly required. Auditors require it, and if you’re selling to enterprises, they’re likely to ask about it.
For more in-depth context:
SOC 2 requirements:
CC4.1 – Management uses a variety of different types of ongoing and separate evaluations, including penetration testing, independent certifications made against established specifications (for example, ISO certifications), and internal audit assessments.
CC7.1 – The entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities.
ISO 27001 requirements:
A.12.6.1 – Information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, the organization’s exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk.
PCI DSS requirements:
“To remain PCI DSS compliant, organizations must implement a penetration testing program encompassing at least an annual penetration test for both applications and infrastructure.”
6.1 – Identify security vulnerabilities in your internal and external applications by using reputable outside sources for security vulnerability information and assign a risk ranking (e.g., ‘high,’ ‘medium,’ or ‘low’) to each vulnerability.
6.2 – Ensure that all software and system components are protected from known vulnerabilities by installing any applicable security patches. You must install the patches within the first month following their release.
6.6 – For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks.
11.3.1 – Conduct external penetration tests at least once a year and after any significant changes or upgrades to the infrastructure/application (for example, upgrading the system, adding a subnet or webserver to the environment, etc.).
11.3.2 – Conduct internal penetration tests at least once a year and after any change or upgrade of significant infrastructure or the application (for example, upgrade of the operating system or adding a subnet or web server in the environment).
11.3.3 – Vulnerabilities found during the penetration tests must be corrected and additional testing performed until the vulnerabilities have been corrected.
11.3.4 – If segmentation is used to isolate the CDE from other networks, this requirement mandates a penetration test at less once a year and following modification of the methods/controls of segmentation to verify that the segmentation methods are operational and effective.
GDPR requirements:
Article 32 – Implement a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
Fedramp requirements: