How do I benefit from LRQA Nettitude using the CDPT specification?

Our penetration testing services can be delivered to meet CDPT. This specification is designed to provide value for entities that want to procure a penetration test.

CDPT guides the key areas of importance, and it highlights the need for the following elements:

3

The need for penetration testing service providers and the individuals conducting the assessment to work towards a defined and agreed test specification

Documented scope and exceptions with work scoped, delivered, and signed off by qualified people.

Reporting Requirements of a CDPT

Reporting requirements will vary according to:

Complying with the CDPT Specification

When conducting a CDPT, there is a minimum set of expectations that must exist for the test to comply with the CDPT Specification.

The following non-exclusive list of reporting elements comprises only a minimum set of expectations for a CDPT:

• Details of the goals and objectives of the assignment
• Details of the scope of the assignment, including the location of the assessment, any exclusions or restrictions that applied to the assessment
• Full details of the results of the CDPT
• A timeline showing the key activities conducted during the CDPT
• Remediation advice should be provided for each vulnerability
• Evidence that each person involved in scoping, delivery and sign-off within the CDPT was suitably qualified

Why choose LRQA Nettitude for a CDPT?

We are proud to be one of the few global companies that is certified by CREST across all key disciplines.

Our team of consultants have achieved the highest accreditations for Penetration Testing, Red Teaming, Incident Response services and Threat Intelligence. In parallel, we were the first organisation to be accredited for our Security Operation Centre services.

LRQA Nettitude are certified by a range of governing bodies for our work within highly regulated industries, in the financial sectors and the payment card industry and are approved as a Qualified Security Assessor (QSA) company

We practise what we preach and have the highest levels of rigour applied to all the risk management and security controls that are relevant to our organisation itself. We are certified against ISO 27001 and ISO 9001.

The CREST Defensible Penetration Test (CDPT) is a specification that provides recommendations on how penetration tests should be scoped, delivered, and signed off.

It has been created to provide greater guidance and clarity to organisations purchasing penetration testing services, as organisations can still lack clarity on how to procure a penetration test, what they should expect from a penetration test, and how a penetration test delivers assurance for an organisation.

Our penetration testing services can be delivered to meet CDPT. This specification is designed to provide value for entities that want to procure a penetration test.

1

The need for penetration testing service providers to have appropriate policies, procedures, practices, and methodologies

CREST defines this as an Accredited organisation. LRQA Nettitude are one of only a handful of companies in the world that hold all of CREST’s accreditations.

2

The need for individuals involved in three key phases of a penetration test to have appropriate levels of skills, experience, and competency

CREST requires people involved in scoping, delivery, and sign-off to be both qualified and registered as skilled workers (i.e. they have signed the CREST code of conduct).

All LRQA Nettitude penetration testers are accredited by CREST and have signed the code of conduct.

3

The need for penetration testing service providers and the individuals conducting the assessment to work towards a defined and agreed test specification

Documented scope and exceptions with work scoped, delivered, and signed off by qualified people.

Reporting Requirements of a CDPT

Reporting requirements will vary according to:

Complying with the CDPT Specification

When conducting a CDPT, there is a minimum set of expectations that must exist for the test to comply with the CDPT Specification.

The following non-exclusive list of reporting elements comprises only a minimum set of expectations for a CDPT:

• Details of the goals and objectives of the assignment
• Details of the scope of the assignment, including the location of the assessment, any exclusions or restrictions that applied to the assessment
• Full details of the results of the CDPT
• A timeline showing the key activities conducted during the CDPT
• Remediation advice should be provided for each vulnerability
• Evidence that each person involved in scoping, delivery and sign-off within the CDPT was suitably qualified

CREST Accredited Penetration Testing companies, like LRQA Nettitude, have been assessed against stringent membership criteria as part of the annual accreditation cycle.

Each member company has signed a code of conduct that warrants that they will conduct penetration tests per the methodology assessed as part of their accreditation process.

All CREST companies that are accredited against the penetration testing discipline have undergone the same rigorous review process. This is true irrespective of the size or location of the organisation.

We are proud to be one of the few global companies that is certified by CREST across all key disciplines.

Our team of consultants have achieved the highest accreditations for Penetration Testing, Red Teaming, Incident Response services and Threat Intelligence. In parallel, we were the first organisation to be accredited for our Security Operation Centre services.

We practise what we preach and have the highest levels of rigour applied to all the risk management and security controls that are relevant to our organisation itself. We are certified against ISO 27001 and ISO 9001.