A Buyer's Guide to Procuring Penetration Testing Services
The CREST Penetration Testing Services Procurement Guide provides practical advice on the purchase and management of penetration testing services, helping you to conduct effective, value for money penetration testing. It is designed to enable your organisation to plan for a penetration test, select an appropriate third party provider and manage all the important related activities.
The Guide presents a useful overview of the key concepts you will need to understand to conduct a well-managed penetration test, explaining what a penetration test is (and is not), outlining its’ strengths and limitations and describing why an organisation would typically choose to employ an external provider of penetration testing services.
The Guide is presented as a five stage procurement approach and then offers advice and guidance on how to:
- Determine business requirements for a penetration test, considering the drivers for testing, the purpose of testing and target environments;
- Agree the testing scope, approving testing style and type and assessing testing constraints;
- Establish a management framework to assure quality, reduce risk, manage changes and problems and agree contract;
- Plan and conduct the penetration test itself, which consists of conducting research, identifying vulnerabilities, exploiting weaknesses, report finding and remediating issues;
- Implement an improvement programme to address weaknesses, identify lessons learned, instigate actions and agree an approach for future testing.
Finally, the Guide highlights the main criteria to consider when choosing an appropriate external provider of penetration testing services.
Please click on the image to download a copy of the guide.