Penetration Testing - A Guide for Running an Effective Programme

The CREST Penetration Testing Guide provides practical advice on the establishment and management of a penetration testing programme, helping organisations to conduct effective, value-for-money penetration testing as part of a technical security assurance framework.  It is designed to enable organisations to prepare for penetration tests, conduct actual tests in a consistent, competent manner and follow up tests effectively.

The Guide presents a useful overview of the key concepts that need to be understood to conduct well-managed penetration tests, explaining what a penetration test is and is not, outlining its’ strengths and limitations, and describing why an organisation would typically choose to employ an external provider of penetration testing services to help plan for and undertake tests effectively, ensuing that vulnerabilities are identified and remediated.

The Guide presents a useful three stage approach and provides advice and guidance on how to take the required actions to:

  1. Prepare for penetration testing, as part of a technical security assurance framework; managed by an appropriate penetration testing governance structure; considering the drivers for testing, the purpose of testing and target environments; – and appointing suitable suppliers to perform tests
  2. Conduct penetration tests enterprise-wide, approving testing style and type; assessing testing constraints, manging the testing process, planning for and carrying out tests effectively, identify, exploding and remediating vulnerabilities
  3. Carry out appropriate follow up activities, remediating weaknesses, maintaining an improvement plan and delivering an agreed action plan.

Download the CREST Penetration Testing Guide here (PDF)