2403.0—2403.0
>Control Description
The Supplier shall conduct penetration testing (minimum every 12 months) against externally facing systems used to support the operation of Functions and that protect Data. The penetration testing programme shall be based upon industry standards and performed by subject matter experts. The Supplier shall ensure that any deficiencies identified are remediated in a timely manner in line with their risk to the network. The Supplier shall retain records including:
i) The scope and methodology utilised
ii) The number of critical, high, and medium severity findings
iii) The name of the tester
iv) The date of the testing
v) Timelines and actions for a remedial plan.
>Cross-Framework Mappings
Ask AI
Configure your API key to use AI features.