# Vulnerability Assessment

1. For solutions handling personal data: Complete a vulnerability assessment if it is stated as **mandatory** in your solution's requirements checklist.

{% hint style="info" %}
Vulnerability Assessment (VA) is the examination of an information system or product to determine the adequacy of security measures; the identification of security deficiencies; to predict the effectiveness of the proposed security measures; and to confirm the adequacy of such measures after implementation.
{% endhint %}

2. Check your [solution's category requirements](https://preapproval-guide.imda.gov.sg/pre-approval-guide/stage-1-vendor-self-assessment/identify-suitable-solution-category) to determine if a vulnerability assessment is mandatory. The vulnerability assessment requirement is shown in the table below.

| <p>Has your solution undergone a comprehensive security vulnerability assessment/penetration testing (VA/PT) conducted by a qualified third-party within the last 12 months? The scope of the VA/PT must cover network security; application security; data protection measures and access control (if applicable); API security testing (if applicable); Cloud security configuration review (if applicable). Specifically, for web application security, the scope must cover minimally all OWASP Top 10 vulnerabilities.</p><p>Please submit the VA/PT report (dated maximum 1 year from the checklist submission date). The VA/PT Report must include Executive summary; Detailed findings and risk ratings; Remediation recommendations; Evidence of vulnerability fixes or mitigation plans; Testing methodology used; Scope of assessment; Assessor's qualifications and certifications.</p><p>If you are the reseller of the solution, please obtain the VA/PT report from your product principal. SOC 2 Type II report can be accepted if the detailed technical vulnerability assessment results are part of the SOC2 Type II scope.</p><p><br>Note:<br>\[1] Qualified third-party refers to: CREST-certified companies \[<a href="https://www.crest-approved.org/members/"><https://www.crest-approved.org/members/></a>] or companies with security professional with relevant CREST certifications; Security professionals with recognised certifications such as: Offensive Security Certified Professional (OSCP); EC-Council Certified Penetration Testing Professional (CPENT); GIAC Penetration Tester (GPEN); or other equivalent industry-recognised certifications.</p> |
| -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |

{% hint style="info" %}
**Preparing for submission?**

* Your submission should include&#x20;

a) Name of the 3rd party assessor
\
b) Date of the assessment test
\
c) Submit the latest Vulnerability Assessment report and name the file as "Vulnerability Assessment Report DDMMYYYY.pdf".

* Vulnerability Assessment Test must be conducted within the past year from checklist assessment
* The report must not have high or critical findings
* The scope should be on the to-be-approved solution
  {% endhint %}

{% hint style="success" %}
Tips: We recommend starting with this step first while working on other parts of your pre-approval application simultaneously.
{% endhint %}

{% hint style="warning" %}
FAQ

Q: Can I submit my application before completing this requirement?

A: No, this requirement must be fulfilled before submission. However, you can work on this while preparing other application requirements.&#x20;
{% endhint %}