How to develop a structured approach to penetration testing

Penetration testing is an essential weapon in the fight against cyber crime. Regular penetration tests are fundamental for ensuring that an organisation’s networks and applications are secure. Penetration testing is also a requirement for compliance with standards such as ISO 27001 and the PCI DSS.

Adopting a structured approach to penetration testing is important for ensuring objectives are met. In its guide to procuring penetration testing services, CREST (the not-for-profit professional body representing the ethical security testing and cyber incident response industry) recommends that this approach is based on five stages:


Determine the business requirements for testing

CREST advises that you determine your business requirements prior to starting your testing, and then consider the best way these requirements can be met. According to research, the four main drivers for penetration testing are the growing requirement for compliance, the impact of serious security attacks on other similar organisations, the greater number and variety of outsourced services, and significant changes to business processes.

A possible approach to determining your business requirements is visualised in the following diagram by CREST.


Agree testing scope

The scope of penetration testing needs to be defined prior to commencement of the testing activities. The scope is dependent on the target environment to be tested and the business purpose for conducting the test.

It is also important to determine which systems are ‘out of scope’ in order to prevent ambiguity, which could result in incomplete coverage or unauthorised testing.

CREST outlines the key elements for defining the scope as follows:


Establish a management assurance framework

Establishing a management assurance framework to help manage the testing process is important. An effective framework will provide assurance to stakeholders that the objectives of the penetration test(s) are achieved, contracts with suppliers are signed off and monitored, risks to the organisation are kept to a minimum, any changes to the scope of the penetration test are managed quickly and efficiently, and problems are satisfactory resolved.


Plan and conduct testing

A systematic and structured methodology to conducting a penetration test is vital to its effectiveness. CREST advises producing a detailed test plan that outlines what will be done during the test, and identifies the processes, techniques or tools to be used. The plan should serve as a mechanism for formally agreeing the testing scope and activities that surround the testing.

While there are standard penetration testing methodologies, penetration testing providers may develop their own methodology appropriate to your circumstances.

According to CREST, all forms of penetration testing should adhere to some variant of the process described below. The activities performed and the amount of time spent on each step will vary depending on the nature of the test, the scope agreed prior to testing and the target system.


Implement improvement programme

To reduce risk both in the longer term and across the whole organisation, it is useful to initiate an improvement programme that can include the following steps as described by CREST.


Choosing a penetration testing provider

Appointing an external provider of penetration testing services is not a trivial task. You need to select a provider who can not only meet your requirements, but who can also offer you certainty, trust and security.

CREST member companies, like IT Governance, have been verified as meeting the rigorous standards mandated by CREST. Clients can rest assured that the work will be carried out to a high standard by qualified and knowledgeable individuals.

For further details, please see our Penetration Testing Packages.

To book your penetration testing service, or to discuss your requirements, please call us now on +44(0) 203 633 2144 or email us.

Share now…

Share on Twitter Share on Facebook Share on LinkedIn