Why conduct a penetration test?

An organisation should carry out a penetration test:

• In response to the impact of a serious breach on a similar organisation;
• To comply with a regulation or standard, such as the PCI DSS (Payment Card Industry Data Security Standard) or the EU GDPR (General Data Protection Regulation);
• To ensure the security of new applications or significant changes to business processes;
• To manage the risks of using a greater number and variety of outsourced services; and/or
• To assess the risk of critical data or systems being compromised.

When penetration testing is conducted within the UK, there are a number of laws that govern the activities that form part of a penetration test.

For the majority of tests, these laws include the following:

• UK Computer Misuse Act 1990
• UK Data Protection Act 1998
• Human Rights Act 1998
• Police and Justice Act 2006

In order to ensure that penetration testing is conducted in line with UK law and also to ensure that the test is conducted as efficiently as possible, a testing consent form must always be used to capture the exact scope of the test and provides those responsible for an organisation’s infrastructure with a means of providing their consent.