OM-5.5.28
All
(a) Follow a risk-based approach based on an internationally recognized methodology, such as National Institute of Standards and Technology “NIST” and Open Web Application Security Project “OWASP”;
(b) Include both Grey Box and Black Box testing in its scope;
(c) Be conducted by qualified and experienced security professionals who are certified in providing penetration testing services;
(d) Be performed by internal and external independent third parties which should be changed at least every two years; and
(e) Be performed on either the production environment or on non-production exact replicas of the production environment.
Added: July 2021