A critical step to ensure that your project is a success is in choosing which supplier to use.

As an absolute fundamental when choosing a security partner, first eliminate the supplier who provided the systems that will be tested. To use them will create a conflict of interest (will they really tell you that they deployed the systems insecurely, or quietly ignore some issues).

Detailed below are some questions that you might want to ask your potential security partner:

• Is security assessment their core business?
• How long have they been providing security assessment services?
• Do they offer a range of services that can be tailored to your specific needs?
• Are they vendor independent (do they have NDAs with vendors that prevent them passing information to you)?
• Do they perform their own research, or are they dependent on out-of-date information that is placed in the public domain by others?
• What are their consultant’s credentials?
• How experienced are the proposed testing team (how long have they been testing, and what is their background and age)?
• Do they hold professional certifications, such as PCI, CISSP, CISA, and CHECK?
• Are they recognized contributors within the security industry (white papers, advisories, public speakers etc)?
• Are the CVs available for the team that will be working on your project?
• How would the supplier approach the project?
• Do they have a standardized methodology that meets and exceeds the common ones, such as OSSTMM, CHECK and OWASP?
• Can you get access to a sample report to assess the output (is it something you could give to your executives; do they communicate the business issues in a non-technical manner)?
• What is their policy on confidentiality?
• Do they outsource or use contractors?
• Are references available from satisfied customers in the same industry sector?
• Is there a legal agreement that will protect you from negligence on behalf of the supplier?
• Does the supplier maintain sufficient insurance cover to protect your organization?