Penetration testing must be conducted by which type of tester?

Penetration testing should be performed by someone who has proven, relevant skills and experience. The tester must be qualified to conduct realistic and safe tests, document findings, and guide remediation. A qualified internal resource is the best fit because they bring up-to-date knowledge of the organization’s specific systems, networks, configurations, and governance processes. They can scope tests accurately, work within established change-management and data-handling policies, and follow through with remediation within the same organizational context. While external testers can also be qualified, the requirement centers on having qualified personnel, and internal staff who meet those qualifications align most closely with the standard’s expectations for controlled, repeatable testing within the organization.