Frequently asked questions

A penetration test or pen test is a manual inspection where the goal is to penetrate as deeply as possible into a system to find weaknesses and understand their consequences. These weaknesses are then used to delve even deeper into the system. The purpose of the test is not to find as many weaknesses as possible, as is the case with a vulnerability scan.

The vulnerability assessment is a manual inspection where weaknesses in a system are identified. The approach is predetermined. In a vulnerability assessment, the goal is to find all weaknesses in a specific area. This differs from a penetration test where the aim is to penetrate as deeply as possible into a system.

See also soon: ‘buyers guide security testing’ – Cyberveilig Nederland.

An automated check that detects weaknesses in a system. Only if it is a false alarm, it is manually removed.

The pen test and vulnerability scan consist largely of manual checks performed by a specialized ethical hacker. Creativity and expertise play an essential role in identifying risks that would otherwise go unnoticed. When the majority of the test is automated, it is called a vulnerability scan. In many cases, a vulnerability scan lacks the intelligence to detect vulnerabilities that deviate from these known patterns.

On the website of the CCV, a 2-minute video (Dutch) explains what certification is and how it works:

With a quality mark or certificate, a company demonstrates that the delivered products and/or services meet the standard. This is assessed by a certification body, which has an agreement with the CCV. By opting for a CCV quality mark, you choose quality.

The CCV is the owner of the pen testing scheme. It acts as the independent scheme manager and the author of the document. The CCV has brought together the interests of certification bodies, service providers and customers.

Potential customers have a duty to conduct their own research into the background of service providers. All certified companies are listed on the CCV website.

The client enters into an agreement with a certified pen test service provider. The costs for conducting a pen test vary depending on the type of test, scope, and service provider. Therefore, to get insight into the costs of a pen test, you need to request a quote from a cyber security service provider that offers pen tests. Find service providers working with the quality mark ›

Yes, if the service provider does no longer meet the requirements of the certification scheme, the service provider can be suspended or the license can be revoked.

In the event of suspension or revocation, the service provider is no longer allowed to refer to certified status in its communication. If the service provider still solicits customers using its certified status, this constitutes fraud. It is the responsibility of the certification body to supervise this. The CCV takes action against service providers who are not clients of a certification body and wrongly use a quality mark.

The listing of the service provider on the CCV’s website will be changed from ‘certified’ to ‘suspended’. However, the service provider is not obligated to actively communicate to its existing customers about a suspension. In the case of a suspension, the identified shortcomings are resolvable. In the case of revocation, more action is required from the service provider to meet the requirements again. The listing may be temporarily or permanently removed from the CCV’s website in such cases.

A pen tester is qualified based on practical certificates. The list of qualifications is available on the CCV website and is reviewed annually, being adjusted or updated as necessary based on input from the industry organization Cyberveilig Nederland. Any changes are confirmed in the Committee of Interested Parties, which includes all stakeholders involved in the project: framework setters, customers, service providers, and certification bodies.

The Pen testing Certification Scheme is based on a minimum requirement of a certificate of good conduct (VOG) no older than 3 years. If a customer deems a more rigorous screening necessary for the service provider/employee, this can be agreed upon and arranged when issuing the assignment. In the majority of cases, a VOG no older than 3 years will suffice.

Vulnerabilities can be identified based on a penetration test. Using the pen test report, the identified vulnerabilities and risks can be remedied or mitigated. To ensure that the identified vulnerabilities are resolved correctly, it is advisable to conduct a retest. A retest may be part of a pen test but is not mandatory. If it is not a standard part of a pen test, this is not a reason for rejection by the certification body.

Technical tools for conducting pen tests are constantly evolving. Therefore, they are not specified in the certification scheme. The certification body monitors that the provider meets all requirements for the pen test. This means that employees are qualified and that up-to-date and effective tools are used to detect vulnerabilities.

This is custom work and not part of the certification scheme. In most cases, the agreement will be signed by the organization’s management. Additionally, or instead, the responsible manager or the IT director (CIO) may sign the agreement.

This depends on specific circumstances with the customer. The scope, extent, and handling of any deviations/peculiarities are contractually agreed upon in advance between the service provider and the customer.

Agreements regarding the processing of personal data, anonymization, and retention periods are documented in the service provider’s terms and conditions and potentially additionally in the agreement between the service provider and the customer.

A confidentiality agreement is included in the contract between the pen test organization and the customer, aimed at protecting the customer, in which agreements on this matter are recorded.

A cyber security service provider must meet the requirements of the CCV Certification Scheme for Cyber security Pen tests. This means that quality standards are set for the execution of the service (pen test), as well as for your organization. For example, pen testers have the required qualifications, a complaints procedure is established, and so forth.

1. The certificate provides a good indication that the candidate has extensive knowledge and skills in the field of penetration testing. Entry-level certificates cannot meet these criteria.
2. To obtain the certificate, the candidate undergoes an exam where he/she independently hacks for a minimum of 23 hours in a lab environment.
3. After the exam, the candidate prepares a report that is actually assessed by an examiner.
4. Adequate measures have been taken to prevent fraud during the exam.
5. An exam for personal certification for pen testers has been available for at least 2 years to be considered for this list (sufficient track record to assess the other criteria).

To consider requests for potentially adding personal certificates to this list in the pentesting certification scheme, the provider of the training and/or the exam must offer sufficient information to the CCV.

An important point is that the requirements are not only implemented but that you can also demonstrate that you work on a day to day basis according to the quality standards. For example, with a quality management system. This will be verified during the audit in your organization.

If your organization offers multiple types of pen tests, then the quality mark applies to all pen tests. Please note: a pen test is different from a vulnerability scan. The latter is not covered by the CCV quality mark. The certification scheme contains the definition of pen tests.

To become certified for the CCV quality mark for pen testing, your organization goes through the following steps:

• Assess whether your organization meets the quality requirements specified in the CCV Certification Scheme for Cyber security Pen tests.
• Approach a certification body that executes the certification scheme at your organization. Enter into an agreement with the certification body of your choice, DEKRA, DigiTrust, or Kiwa.
• The certification body verifies whether your organization complies with the requirements in the CCV certification scheme for pen tests by conducting an audit.
• If any deficiencies are identified during the audit, you address these within your organization and report back to the certification body.
• Upon successful completion of the audit, you receive the Cyber security Pen test certificate from the certification body.
• From that moment on, you can conduct pen tests with the CCV quality mark.
• Your organization becomes visible as a pen testing company working under certification on the CCV website.
• Annually, the certification body conducts an assessment to ensure that the quality requirements of the quality mark are still met.

No, this is not legally mandatory.

The CCV does not directly enter into an agreement with the cyber security service provider. The service provider enters into an agreement with a certification body (CI). Therefore, the CCV also has no control over the fees charged by the certification body to the service providers. For more information on certification costs, you can request a quote from one of the certification bodies: DEKRA, DigiTrust, or Kiwa.

You will be listed as a professional in the CCV database. Customers can find certified cyber security service providers through this search engine. Additionally, you are allowed to indicate in your own market communications that you offer pen tests under the CCV quality mark.

Certification is conducted by certification bodies that meet the requirements of the certification scheme and have entered into a licensing agreement for the Pen test quality mark with the CCV. Currently, these are DEKRA, DigiTrust, and Kiwa.

Certification bodies always conduct an audit according to the requirements of the CCV Pen test Certification Scheme. Each certification body has its own approach to certifying a company. This individual approach can lead to differences in service, scheduling, or costs.

This will be included in the terms of delivery or service contract between the service provider and the customer. This can stipulate that this must always be agreed with the customer in advance, and that outsourcing only takes place with the explicit consent of the customer. (Please note that the certification scheme also limits the extend to which outsourcing can take place.)

No. A certification body must be able to conduct a thorough quality assessment. This involves, for example, ‘access to information’. The service provider must include in the general terms and conditions that personnel from the certification body may be present for the purpose of supervising quality assurance. Random attendance at pen tests also needs to be facilitated for credible oversight.

This depends on several factors. First, you must be clear whether your organization is ready for certification by being able to explicitly demonstrate the stated requirements in writing. Think of a dossier on pen testing, the qualifications of employees, the presence of a quality management system, and so on. You must provide the certification body with information in preparation for the audit. This includes recent Chamber of Commerce extracts, an organizational chart of your organization, and the quality management system. The availability of people, both in your organization and at the certification body, also affects the schedule. The duration also depends on the size of your organization, the number of pen tests you conduct, and the associated sampling.

Quality marks represent quality. Your company distinguishes itself positively in a cyber security market that is often unclear for customers. Customers can see immediately that your pen tests meet an independent quality mark and can use that as a selection criterion.

The mentioned certificates are considered ’too light’ for what a qualified pen tester should minimally know and be able to do.

The CCV pen test quality mark started with a focus onthe Dutch market, but with the implementation of the certification scheme version 2.0, both the schema and the quality mark are provided in English.

There are no requirements regarding the size of your organization. It is about the quality of the conducted pen test.

The certification body conducts an annual audit at the service provider’s office to determine the extent to which the service provider still complies with the certification requirements.

Certification bodies authorized to conduct penetration tests under the scheme must be accredited by the Dutch Accreditation Council (RvA) for NEN-EN-ISO/IEC 17065 and for the ISO 27000 series.

A certification body interested in implementing the certification mark can contact the CCV at cybersecurity@hetccv.nl. A pre-license agreement is concluded, and the quality system is completed in accordance with the scheme. Subsequently, the CCV conducts a license audit. If this is successfully completed, the certification body enters into a license agreement with the CCV. The costs for a license are specified in the fee schedule.

A certification body enters into a license agreement with the CCV and pays an annual license fee for the use/implementation of the certification scheme. In addition, the CCV receives income through surcharges from the certification body for the use/mention of the certification mark and for each penetration test conducted (under the certification mark). These revenues are used, among other things, for the management of the scheme.

The fees for the certification body can also be found on the fee schedule published annually by the CCV.