Vulnerability Assessment

This is a mandatory requirement for solutions that handle personal data based on the solution requirements checklist.

  1. For solutions handling Personal Data: Complete a vulnerability assessment if it is stated as mandatory in your solution's requirements checklist.

Vulnerability Assessment (VA) is the examination of an information system or product to determine the adequacy of security measures; the identification of security deficiencies; to predict the effectiveness of the proposed security measures; and to confirm the adequacy of such measures after implementation.

  1. Check your solution's category requirements to determine if a vulnerability assessment is mandatory. The vulnerability assessment requirement is shown in the table below.

Has your solution undergone a comprehensive security vulnerability assessment/penetration testing (VA/PT) conducted by a qualified third-party within the last 12 months? The scope of the VA/PT must cover network security; application security; data protection measures and access control (if applicable); API security testing (if applicable); Cloud security configuration review (if applicable). Specifically, for web application security, the scope must cover minimally all OWASP Top 10 vulnerabilities.

Please submit the VA/PT report (dated maximum 1 year from the checklist submission date). The VA/PT Report must include Executive summary; Detailed findings and risk ratings; Remediation recommendations; Evidence of vulnerability fixes or mitigation plans; Testing methodology used; Scope of assessment; Assessor's qualifications and certifications.

If you are the reseller of the solution, please obtain the VA/PT report from your product principal. SOC 2 Type II report can be accepted if the detailed technical vulnerability assessment results are part of the SOC2 Type II scope. Note: [1] Qualified third-party refers to: CREST-certified companies [https://www.crest-approved.org/members/] or companies with security professional with relevant CREST certifications; Security professionals with recognised certifications such as: Offensive Security Certified Professional (OSCP); EC-Council Certified Penetration Testing Professional (CPENT); GIAC Penetration Tester (GPEN); or other equivalent industry-recognised certifications.

Preparing for submission?

  • Your submission should include

a) Name of the 3rd party assessor b) Date of the assessment test c) Submit the latest Vulnerability Assessment report and name the file as "Vulnerability Assessment Report DDMMYYYY.pdf".

  • Vulnerability Assessment Test must be conducted within the past year from checklist assessment

  • The report must not have high or critical findings

  • The scope should be on the to-be-approved solution

Tips: We recommend starting with this step first while working on other parts of your pre-approval application simultaneously.

FAQ

Q: Can I submit my application before completing this requirement?

A: No, this requirement must be fulfilled before submission. However, you can work on this while preparing other application requirements.

PreviousInvoiceNow Account (For new vendors only)NextData Analytics (DA) and Personal Data Protection (PDP) Requirements

Last updated