SUMMARY
Like many others, your organisation can benefit from conducting effective, value-for-money penetration testing. To achieve this, you will need to plan for a penetration test, select an appropriate third party provider, and manage all important related activities.
Firstly, there are a number of key concepts you will need to understand to conduct a well-managed penetration test, such as understanding what a penetration test is (and is not), appreciating its’ strengths and limitations, and considering why you would want to employ an external provider of penetration testing services.
Secondly, to ensure requirements are satisfactorily met, it is advisable to adopt a systematic, structured approach to penetration testing. This involves determining business requirements; agreeing the testing scope; establishing a management framework (including contracts, risk, change and problem management); planning and conducting the test itself; and implementing an effective improvement programme.
Finally, if your organisation decides to appoint an external provider of penetration services, it is important that you choose a supplier who can most effectively meet your requirements – but at the right price. It is often helpful to determine a set of criteria when choosing an appropriate supplier, considering the six key selection criteria outlined in this report.
A useful set of presentation slides has also been produced, summarising the main findings from the project and including all the diagrams. Both this and the full Procurement Guide are available from CREST at www.crest-approved.org/
‘What we are looking for from a supplier is certainty, prioritisation, trust and security’