Testing happens when something external demands it, a compliance audit, a customer questionnaire, a contract requirement. There is no internal driver, no defined owner, and no expectation that results will change anything. The organization has visibility into its attack surface only when forced to look.
Outcomes
- ·At least one penetration test or vulnerability assessment is completed annually
- ·Critical business systems are identified at a basic level
- ·Test findings are documented and available for review
- ·Critical and high vulnerabilities are prioritized for remediation
Actions
- 01Engage a qualified third party to conduct an annual penetration test or vulnerability assessment
- 02Create a basic asset inventory covering systems, applications, and data stores critical to operations
- 03Store test results centrally so they can be referenced and tracked over time
- 04Prioritize remediation of Critical and High findings before the next assessment cycle
- 05Brief IT and security stakeholders on findings after each test
Sustainment Criteria
All criteria must be met to hold this level. If any criterion is unmet at reassessment, consider yourself at the previous level.
An annual assessment is consistently completed, not deferred or skipped
An asset inventory exists covering known critical business systems and is reviewed at least once per year
All Critical findings have either been remediated or have a documented mitigation plan in place
Test results and remediation actions are stored centrally and accessible to relevant staff
Practitioner note
At T1 the primary risk is not technical, it is organizational inertia. Testing that produces reports no one reads, remediates no findings, and informs no decisions has not improved security posture. The value of T1 is establishing the habit of looking.
Moving to T2
Establish a predictable testing cadence independent of compliance demands, expand the asset inventory beyond compliance-defined scope, and implement a remediation workflow that tracks findings to validated closure.
Corresponding Governance & Integration level
G1 Absent
Organizations often develop these axes at different rates. Compare your position on both.