Audit-ready evidence. Honest scope.

Penetration testing for compliance frameworks

Every engagement Cyber Node delivers is scoped and reported to support a specific compliance framework. The testing is ours. The governance, risk and compliance work is not. Here is how we position around the five frameworks Australian buyers ask about most, and who we refer the rest of the work to.

Scope an engagement See a case study

The five frameworks

Which one is on your desk right now?

Each page below leads with the honest answer to a single question: does the framework actually require a penetration test? The copy is accurate to the current version of each standard. Vendors that tell you differently are overclaiming.

Mandated

PCI DSS v4.0.1

Requirement 11.4.1 through 11.4.7 explicitly mandate penetration testing of the cardholder data environment. Internal, external, segmentation. Annual plus after significant change.

PCI DSS testing

Regulator-driven

APRA CPS 234

Paragraph 27 requires systematic testing of information security controls. Penetration testing is how ADIs, RSEs, insurers, and material service providers typically evidence it.

CPS 234 testing

Expected, not mandated

ISO 27001:2022

The standard refers to security testing and technical vulnerability management under A.8.8 and A.8.29. The text does not literally mandate a pen test. Certification bodies expect one.

ISO 27001 testing

Expected, not mandated

SOC 2 Type II

The Trust Services Criteria do not literally require a pen test. Most auditors expect one as the primary evidence for CC4.1 monitoring and CC7.1 system operations.

SOC 2 testing

Maturity model

ASD Essential Eight

Not a penetration testing framework. A maturity model. Cyber Node technically validates whether the eight claimed controls actually hold up under an active adversary.

Essential Eight testing

Not on this list

Something else?

IRAP, CDR, HIPAA, NIST CSF, SOCI Act, IEC 62443 and others come up less often. Scope them directly with us. If we are not the right fit we will say so and introduce a partner who is.

Ask about your framework

What we do, what we refer

The honest split

Most compliance work is not penetration testing. Cyber Node delivers the technical testing component and refers the rest. If a vendor is offering you every layer of a framework, they are almost certainly overclaiming at least one.

In scope for Cyber Node

Technical testing and reporting

  • Manual penetration testing

    Web apps, APIs, networks, cloud, identity.

  • Segmentation and internal testing

    PCI DSS 11.4.5, CPS 234 paragraph 27.

  • Audit-ready reporting

    Formatted for QSAs, SOC 2 auditors, ISO certification bodies.

  • Auditor coordination

    Direct calls with your QSA, CPA, or certification body when useful.

  • Free retest within 60 days

    PCI 11.4.4 explicitly requires remediation verification.

Out of scope, we refer

Governance, risk, and compliance

  • Vanta and Drata platforms

    Continuous control monitoring, evidence collection, Trust Center.

  • ISMS build and Statement of Applicability

    Specialist GRC consultancies.

  • Stage 1 and Stage 2 ISO 27001 audits

    Accredited certification bodies. We recommend a shortlist.

  • SOC 2 attestation

    Must be an independent CPA firm. We refer.

  • IRAP assessments

    Requires an IRAP-endorsed assessor. We refer.

Which framework applies

Most Australian buyers need more than one

A Sydney FinTech selling payment services into US enterprise customers typically carries APRA CPS 234 (because it is a material service provider to an ADI), PCI DSS (because it touches card data), and SOC 2 (because every US customer is asking for a report). A state utility carries CPS 234-equivalent regulator obligations plus IEC 62443 in the OT layer. A SaaS company selling into Defence asks about Essential Eight and sometimes ISM alignment.

Cyber Node scopes a single engagement to cover the overlap. One test, mapped to every relevant framework in the report. The alternative is three separate tests and three separate invoices, which is what most vendors quietly prefer.

Compliance FAQ

Common questions

No. A penetration test is one form of evidence. Most frameworks also require documented policies, risk assessments, controls, and monitoring that sit outside the technical testing scope. Cyber Node delivers the testing and refers the governance, risk and compliance work to specialist partners and platforms.

Usually yes. A single scoped engagement against a web application and its supporting infrastructure can evidence PCI DSS Requirement 11.4, SOC 2 CC4.1 and CC7.1, ISO 27001 A.8.8 and A.8.29, and APRA CPS 234 paragraph 27 simultaneously, provided the scope is set up correctly at the start.

GRC platforms like Vanta and Drata for continuous control monitoring and audit-ready evidence collection. Specialist GRC consultancies for ISMS build, policy writing, Stage 1 and Stage 2 ISO audits, SOC 2 attestation, and CPS 234 gap assessment. Introductions are direct and free.

Yes. Reports are regularly accepted by PCI QSAs, SOC 2 auditors, ISO 27001 certification bodies, and internal audit functions. We coordinate directly with your auditor when required.

Ask. IRAP, CDR, HIPAA, NIST CSF, SOCI Act and IEC 62443 come up less often but we have scoped engagements to each of them at least once. If we are not the right fit we will say so and introduce a partner who is.

Scope an engagement

One pen test. Every framework mapped.

Get a Quote All services