Merge pull request #915 from Jonathan-Scott14/patch-19

Update how-to-do-penetration-tests.html.md.erb
alphagov · Jul 3, 2024 · dc5fed5 · dc5fed5
2 parents b39465b + ae41e86
commit dc5fed5
Showing 1 changed file with 7 additions and 5 deletions.
diff --git a/source/standards/how-to-do-penetration-tests.html.md.erb b/source/standards/how-to-do-penetration-tests.html.md.erb
@@ -1,14 +1,16 @@
 ---
 title: How to arrange and manage penetration tests
-last_reviewed_on: 2023-11-20
+last_reviewed_on: 2024-06-27
 review_in: 6 months
 ---
 
 # <%= current_page.data.title %>
 
-You should aim to run [penetration tests](https://www.gov.uk/service-manual/technology/vulnerability-and-penetration-testing) on your service at least every 12 months. You must discuss all significant changes with the GDS [Information Security] IA team. You must agree with the [Information Security] IA team when you will test and the scope of the tests. They will also assist with the procurement of external tests through an approved third party through the [National Cyber Security Centre (NCSC) CHECK scheme]. Alternatively, with the agreement of the IA team, a member of the [COD Cyber] Team can carry them out internally, depending on the requirements.
+You should aim to run [penetration tests](https://www.gov.uk/service-manual/technology/vulnerability-and-penetration-testing) on your service at least every 12 months. You must discuss all significant changes with the GDS [Information Security][] team. You must agree with the [Information Security][] team when you will test and the scope of the tests. They will also assist with the procurement of external tests through an approved third party through the [National Cyber Security Centre (NCSC) CHECK scheme]. Alternatively, with the agreement of the Info Sec team, a member of the [COD Cyber] Team can carry them out internally, depending on the requirements.
 
-You may need to schedule additional testing if you make significant changes to your service. You should meet with the IA team regularly to discuss ongoing changes.
+Information Security are working on a GDS-level contract for ITHC services, which should make obtaining an ITHC for your service a more streamlined process.
+
+You may need to schedule additional testing if you make significant changes to your service. You should meet with the Info Sec team regularly to discuss ongoing changes.
 
 A significant change could be when you:
 
@@ -47,9 +49,9 @@ Before testing, you should define and agree:
 
 ## Schedule a test
 
-To schedule a test, [Information Security] IA team.
+To schedule a test, [Information Security][] team.
 
-If you plan to test any application, you must contact the IA team at least 3 months in advance so they can organise the procurement for you.
+If you plan to test any application, you must contact the Info Sec team at least 3 months in advance so they can organise the procurement (or call-off against the existing framework) for you.
 
 If you are planning to ask the [COD Cyber] team to perform a test, you will need to enter the information listed in the [scope your test section](#scope-your-test) and the [prepare for your test section](#prepare-for-your-test) into a Rules of Engagement document, where a scope can be agreed and signed off by both parties. As with an external company, you should give at least 3 months' notice to make sure you can schedule the test at a time that suits project timelines.