How do I select a good penetration testing provider?

A good pen tester can replicate the types of actions that a malicious attacker would take, which offers your IT teams with a much more accurate view of the vulnerabilities within your networks and systems at a specific point in time.

It is important to not hire “reckless” penetration testers who cannot provide a detailed testing approach. An independent penetration tester should have their own documented penetration testing methodology or make use of a commonly accepted methodology such as the Open Source Security Testing Methodology (OSSTMM).

The Council of Registered Ethical Security Testers (CREST) verifies an organisation as meeting the rigorous standards it mandates. A list of approved pen testers is published on the CREST website.

Although there are several commercial products that can provide credible testing parameters and results, nothing replaces a manual test conducted by a true ‘ethical hacking’ professional, certified by a regulatory organisation such as CREST. CREST member companies must undergo a rigorous assessment and certification process that looks at methodologies, test hygiene, staff vetting and data handling.

IT Governance’s CREST-approved penetration tests mean that our clients can rest assured that the work will be carried out to rigorous standards by qualified and knowledgeable individuals.

To get an overview of the different levels of tests offered by IT Governance, have a look at this informative table.