The time period between two consecutive penetration test and the vulnerability assessment by an independent third party, referred to in Paragraph SIO-9.7.30(e) must be 6 months and the report on such testing must be provided to CBB within two months following the end of the month where the testing took place. The vulnerability assessment and penetration testing reports must include the vulnerabilities identified and a full list of ‘passed’ tests and ‘failed’ tests together with the steps taken to mitigate the risks identified.