Penetration Testing and Vulnerability Assessment simulate real-world cyberattacks on systems to identify vulnerabilities and weaknesses before malicious actors can exploit them. Regular testing and assessments help ensure security controls are effective in preventing breaches, protecting sensitive data, and maintaining the integrity of organisational assets. By proactively identifying and addressing vulnerabilities, businesses can significantly reduce the risk of a successful cyberattack.

———————————————————————————————————

Level 1 Certification

———————————————————————————————————

Measure 15.1: Conduct Basic Vulnerability Scanning

Does your enterprise regularly conduct vulnerability scanning to identify common security weaknesses in your systems?
Example: Use free or low-cost vulnerability scanning tools such as OpenVAS and Qualys to check for basic vulnerabilities like unpatched software or misconfigurations.

Measure 15.2: Perform Basic Internal Penetration Testing

Does your enterprise perform simple internal penetration testing to identify potential weaknesses within your internal network?
Example: Conduct an annual internal penetration test, either through in-house resources or by engaging a trusted external vendor, to simulate attacks and identify weak spots in internal systems and processes.

Measure 15.3: Implement a Patch Management Strategy

Does your enterprise have a patch management strategy in place to ensure vulnerabilities identified during tests are addressed promptly?
Example: Ensure a consistent schedule for applying patches and updates to software and systems following vulnerability assessments and penetration tests.

Measure 15.4: Educate Employees About Common Vulnerabilities

Does your enterprise educate employees on common security vulnerabilities, such as weak passwords or social engineering attacks, to reduce potential entry points for attackers?
Example: Provide basic security awareness training to employees, focusing on recognising phishing emails, creating strong passwords, and avoiding risky online behaviour.

———————————————————————————————————

Level 2 Certificaton

To achieve Level 2: Level 1 must also be achieved.

———————————————————————————————————

Measure 15.5: Conduct External Vulnerability Scanning

Does your enterprise conduct regular external vulnerability scanning to identify weaknesses in your public-facing infrastructure?
Example: Use tools like Nessus, Inviciti Netsparker or Rapid7 to scan external-facing servers, websites, and network infrastructure for common vulnerabilities such as outdated software or misconfigured firewalls.

Measure 15.6: Perform Regular Internal Penetration Testing

Does your enterprise conduct regular internal penetration testing to simulate potential attacks from inside the organisation?
Example: Hire external cybersecurity experts or use internal security teams to perform quarterly penetration tests on your internal systems, focusing on sensitive data storage and access control vulnerabilities.

Measure 15.7: Establish a Risk-Based Approach to Vulnerability Management

Does your enterprise have a risk-based approach to managing identified vulnerabilities, prioritising remediation based on the potential impact to the organisation?
Example: Implement a risk ranking system that evaluates vulnerabilities by their potential severity and likelihood of exploitation. Prioritise patching and remediation efforts on high risk vulnerabilities.

Measure 15.8: Ensure Remediation of Critical Vulnerabilities Within Defined Timeframes

Does your enterprise set and adhere to a timeframe for addressing critical vulnerabilities discovered during penetration tests and vulnerability assessments?
Example: Establish a policy that critical vulnerabilities must be remediated within a specified period usualy with in 30 days to reduce the risk of exploitation.

———————————————————————————————————

Level 3 Certificaton

To achieve Level 3: Level 2 and Level 1 must also be achieved.

———————————————————————————————————

Measure 15.9: Conduct Regular External and Internal Penetration Testing

Does your enterprise conduct both external and internal penetration testing regularly to identify and exploit vulnerabilities in your systems?
Example: Engage professional penetration testing firms for quarterly or bi-annual external and internal penetration tests to simulate real-world attacks and assess your organisation’s defences from both external and insider threats.

Measure 15.10: Implement Continuous Vulnerability Scanning and Monitoring

Does your enterprise implement continuous vulnerability scanning and monitoring to proactively detect new threats and vulnerabilities?
Example: Use advanced vulnerability management tools like Tenable.io or Qualys Continuous Monitoring to run automated, real-time vulnerability scans across your infrastructure to detect newly discovered vulnerabilities.

Measure 15.11: Perform Web Application Penetration Testing

Does your enterprise regularly test web applications for vulnerabilities, including SQL injection, cross-site scripting (XSS), and other common attack vectors?
Example: Use automated web application security tools such as Burp Suite or Netsparker and hire external testers to regularly perform web application penetration testing to identify and fix security flaws in your online services.

Measure 15.12: Integrate Penetration Testing Results with Your Incident Response Plan

Does your enterprise integrate the results from penetration tests into its incident response plan to improve preparedness for real-world cyberattacks?
Example: Use findings from penetration tests to simulate attack scenarios in your incident response plan, helping your security team practice containment, mitigation, and recovery strategies.

Measure 15.13: Develop and Test a Remediation Plan for Identified Vulnerabilities

Does your enterprise develop a remediation plan for identified vulnerabilities and test the effectiveness of the plan in resolving the issues?
Example: Establish a structured process for addressing and tracking vulnerabilities found in tests, and regularly verify that the remediations are successful by retesting the systems post-patching.

———————————————————————————————————