Controls

Terug naar overzicht
Version

SB.18.005 Penetration Testing

High
High
High
System Owner
v2.0 (Q1 2024)
Vulnerability Management

Description

Before go-live of new IT services, and after major updates and changes, a penetration test of the information security needs to be performed by a trusted security party.

For externally performed pentests, organisational security staff assesses the management summaries of a recent pentest results and the follow-up to findings.
The management summary contains at least which party performed the test, when the test was performed, what the scope of the test was, the number of vulnerabilities that were found and their associated risks. The re-test results are also inspected.

Specification

A penetration test takes place at a frequency suitable for your organisation, based on risk analysis.

The management summaries of penetration test reports are available on request

Contractual agreements with suppliers include stipulations that the organisation is authorised to perform security tests on the procured services, in cooperation with the supplier.

Security testing takes place on acceptance environments that match the production environment.