To implement TVM-06 "Define, implement and evaluate processes procedures and technical measures for the periodic performance of penetration testing by independent third parties." of CSA star(CCMv4.0.5).For the CSP which having more than 50 Cloud products, If the CSP were defining the frequency of Penetration Testing as a 3 year cycle, Penetration Testing will be performed on all 50 products on a batch by batch basis within the 3 year cycle and the cycle continues. Finally all the products will be done a Penetration Test once in 3 years by the independent third party.
As the periodicity is not mentioned in the control TVM-06, a reasonable periodicity seems to be acceptable for us.Questions:Will this process satisfy the control TVM-06?
Please give reference to the industry best practices to implement the control TVM-06.
As per control 5.1.1 of 27017:2015, the cloud service provider should augment its information security policy to address the provision and use of its cloud services. One of the elements that is taken into account is the lifecycle management of cloud service customer accounts; Pen test can be linked to the product that is to a customer, since not all products are for all customers.