Before go-live of new IT services, and after major updates and changes, a penetration test of the information security needs to be performed by a trusted security party.
For externally performed pentests, organisational security staff assesses the management summaries of a recent pentest results and the follow-up to findings.
The management summary contains at least which party performed the test, when the test was performed, what the scope of the test was, the number of vulnerabilities that were found and their associated risks. The re-test results are also inspected.
Specification
A penetration test takes place at a frequency suitable for your organisation, based on risk analysis.
The management summaries of penetration test reports are available on request
Contractual agreements with suppliers include stipulations that the organisation is authorised to perform security tests on the procured services, in cooperation with the supplier.
Security testing takes place on acceptance environments that match the production environment.
ISO 27001 & 27002:2022
A5.25,
A5.35,
A5.36,
A8.8,
A8.15,
A8.16,
A8.19,
A8.29,
A8.34
SURF toetsingskader informatiebeveiliging (NBA-volwassenheidsmodel)
SM.05 Security testing surveillance and monitoring