Requirements for testers for the carrying out of TLPT

Article 27 establishes the quality assurance framework for TLPT by defining the requirements that testers must meet. The credibility and value of TLPT depends entirely on the competence and independence of the teams conducting the tests, making these requirements essential safeguards.

External testers must demonstrate appropriate expertise through recognized certifications, proven track record in penetration testing and red teaming, and specific experience in the financial services sector. They must carry professional indemnity insurance adequate for the potential consequences of testing activities on live production systems.

Independence is a non-negotiable requirement. Testers must not have conflicts of interest that could compromise their objectivity or the thoroughness of their testing. This means that a firm providing TLPT services should not simultaneously be providing security consulting or system integration services to the same entity, as this could create incentives to underreport findings.

The article allows for the use of internal testers under specific conditions, typically requiring supervisory approval and enhanced governance measures. This recognizes that some entities have established internal red teams with genuine capabilities, but adds safeguards to ensure that internal testing achieves the same level of rigor as external testing. Internal testers must demonstrate organizational independence from the teams responsible for the systems being tested.

Ethical standards are explicitly required, including responsible handling of discovered vulnerabilities and sensitive data encountered during testing. Testers must adhere to defined rules of engagement and escalation procedures, with clear protocols for managing situations where testing activities could cause unintended harm.