Penetration Testing Standards · PEN

These standards define how penetration tests must be planned, approved, executed and reported to minimise risk to live systems and ensure actionable outcomes.

Define the scope explicitly before testing begins, specifying systems, applications, and components to be tested.

Recognised scope types include:

• External Network Testing
• Internal Network Testing
• Web Application Testing
• API Testing
• Cloud Infrastructure Testing
• Social Engineering (only if explicitly agreed)

An agreed contract or Statement of Work (SoW) from the testing provider must be in place and cover: scope, methodology, test windows, escalation paths, impact management, and legal statements.

Prefer a non‑production environment that mirrors production configuration (e.g. Azure Front Door, Web Application Firewall). Avoid testing in production unless absolutely necessary and explicitly approved.

Grant the least privilege required for the duration of testing. Access must be time‑bound and revoked immediately after testing concludes. Maintain audit logs of access and tester activity, and rotate any credentials or tokens post‑test.

Do not provide testers with access to live production data. If production must be used, ensure no production data is present, or anonymise sensitive data to an acceptable standard. After testing, reset or roll back changes and revoke access.

Require a formal report including scope and methodology, evidence of findings with severity ratings, impacted assets, reproducible steps, and clear remediation recommendations.