<!DOCTYPE html> <html lang="en"> <head> <title>Cloud penetration testing - an essential guide | LRQA</title> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=Edge"> <meta name="description" content="Looking into Cloud Penetration Testing? Check out our all you need to know guide on everything Cloud Penetration Testing."> <meta name="keywords" content=""> <meta name="robots"> <link href="https://www.lrqa.com/en/insights/articles/cloud-penetration-testing-an-essential-guide/" rel="canonical" /> <link href="https://www.lrqa.com/en/insights/articles/cloud-penetration-testing-an-essential-guide/" hreflang="en" rel="alternate" /><link href="https://www.lrqa.com/en-gb/insights/articles/cloud-penetration-testing-an-essential-guide/" hreflang="en-GB" rel="alternate" /> <meta name="viewport" content="width=device-width, initial-scale=1, minimum-scale=1"> <!-- CookiePro Cookies Consent Notice start for lrqa.com --> <script src="https://cookie-cdn.cookiepro.com/scripttemplates/otSDKStub.js" data-document-language="true" type="text/javascript" charset="UTF-8" data-domain-script="cc51e9c6-d2ee-45e0-a251-56de9aa737e2" ></script> <script type="text/javascript"> function OptanonWrapper() { } </script> <!-- CookiePro Cookies Consent Notice end for lrqa.com --> <!-- Google Tag Manager --> <script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0], j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src= 'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f); })(window,document,'script','dataLayer','GTM-MDFXZ4S');</script> <!-- End Google Tag Manager --> <script type="text/javascript" async src="https://bot.leadoo.com/bot/dynamic.js?company=i6ve0AXZ"></script> <link rel="icon" href="/static/images/favicons/LRQA-Icon-144.png"> <link rel="icon" href="/static/images/favicons/LRQA-Icon-192.png"> <link rel="apple-touch-icon" href="/static/images/favicons/LRQA-Icon-192.png"> <link rel="icon" href="/static/images/favicons/LRQA-Icon-196.png"> <link rel="icon" href="/static/images/favicons/LRQA-Icon-512.png"> <link rel="manifest" href="/static/lrqa/manifest.json"> <meta name="theme-color" content="#fff" /> <meta name="format-detection" content="telephone=no"> <link rel="preconnect" href="https://fonts.googleapis.com" crossorigin> <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin> <link rel="preload prefetch" href="https://fonts.gstatic.com/s/lato/v24/S6u9w4BMUTPHh50XSwiPGQ.woff2" crossorigin="anonymous" as="font" type="font/woff2"> <link rel="preload prefetch" href="https://fonts.gstatic.com/s/lato/v24/S6uyw4BMUTPHjx4wXg.woff2" crossorigin="anonymous" as="font" type="font/woff2"> <link rel="preload prefetch" href="https://fonts.gstatic.com/s/sourcesans3/v15/nwpStKy2OAdR1K-IwhWudF-R3w8aZQ.woff2" crossorigin="anonymous" as="font" type="font/woff2"> <link rel="preload prefetch" href="https://fonts.googleapis.com/css2?family=Lato:ital,wght@0,300;0,400;0,700;0,900;1,300;1,400;1,900&amp;family=Source+Sans+3:ital,wght@0,400;0,700;1,400;1,700&amp;display=swap" crossorigin="anonymous" as="style" type="text/css"> <link rel="stylesheet" href="https://fonts.googleapis.com/css2?family=Lato:ital,wght@0,300;0,400;0,700;0,900;1,300;1,400;1,900&amp;family=Source+Sans+3:ital,wght@0,400;0,700;1,400;1,700&amp;display=swap" crossorigin="anonymous" as="style" type="text/css"> <link rel="preload" href="/static/css/lrqa/styles.css?v=2.4.2" as="style"> <link rel="preload" href="/static/js/lrqa/esm-app.js?v=2.4.2" crossorigin="anonymous" as="script"> <link rel="stylesheet" href="/static/css/lrqa/styles.css?v=2.4.2" /> <link rel="stylesheet" disabled media="(min-width: 48rem)" href="/static/css/lrqa/styles-media-min-width-48rem.css?v=2.4.2" /> <link rel="stylesheet" disabled media="(min-width: 64rem) and (prefers-reduced-motion: reduce)" href="/static/css/lrqa/styles-media-min-width-64rem-and-prefers-reduced-motion-reduce.css?v=2.4.2" /> <link rel="stylesheet" disabled media="(prefers-reduced-motion: reduce)" href="/static/css/lrqa/styles-media-prefers-reduced-motion-reduce.css?v=2.4.2" /> <link rel="stylesheet" disabled data-supports="not (margin-block: 10px)" media="(min-width: 10000000px)" href="/static/css/lrqa/styles-supports-not-margin-block-10px.css?v=2.4.2" /> <link rel="stylesheet" disabled data-supports="not selector(p:has(p))" media="(min-width: 10000000px)" href="/static/css/lrqa/styles-supports-not-selectorp-hasp.css?v=2.4.2" /> <link rel="stylesheet" disabled data-supports="not selector(*:focus-visible)" media="(min-width: 10000000px)" href="/static/css/lrqa/styles-supports-not-selector-focus-visible.css?v=2.4.2" /> <link rel="stylesheet" disabled data-supports="not (aspect-ratio: 16/9)" media="(min-width: 10000000px)" href="/static/css/lrqa/styles-supports-not-aspect-ratio-16-9.css?v=2.4.2" /> <script> var allLinks = document.querySelectorAll("link[media][disabled], link[data-supports][disabled]"); for (let i = 0; i < allLinks.length; i++) { var link = allLinks[i]; var linkSupports = link.getAttribute("data-supports"); if (link.media) { var mediaMatch = window.matchMedia(link.media); if (mediaMatch.matches) { link.disabled = false; } } if (linkSupports) { if (typeof CSS !== "undefined") { if (CSS.supports("selector(:focus)")) { if (CSS.supports(linkSupports)) { link.disabled = false; link.media = "all"; } } else { link.disabled = false; link.media = "all"; } } else { link.disabled = false; link.media = "all"; } } } </script> <noscript> <link rel="stylesheet" href="/static/css/lrqa/styles-media-min-width-48rem.css?v=2.4.2" /> <link rel="stylesheet" href="/static/css/lrqa/styles-media-min-width-64rem-and-prefers-reduced-motion-reduce.css?v=2.4.2" /> <link rel="stylesheet" href="/static/css/lrqa/styles-media-prefers-reduced-motion-reduce.css?v=2.4.2" /> <link rel="stylesheet" href="/static/css/lrqa/styles-supports-not-margin-block-10px.css?v=2.4.2" /> <link rel="stylesheet" href="/static/css/lrqa/styles-supports-not-selectorp-hasp.css?v=2.4.2" /> <link rel="stylesheet" href="/static/css/lrqa/styles-supports-not-selector-focus-visible.css?v=2.4.2" /> <link rel="stylesheet" href="/static/css/lrqa/styles-supports-not-aspect-ratio-16-9.css?v=2.4.2" /> <link rel="stylesheet" href="/static/css/lrqa/epiforms.css?v=2.4.2" /> <link rel="stylesheet" href="/static/css/dialog.css?v=2.4.2" /> <link rel="stylesheet" href="/static/css/lrqa/dialog.css?v=2.4.2" /> <link rel="stylesheet" href="/static/css/lrqa/dialog-media-min-width-48rem.css?v=2.4.2" /> <link rel="stylesheet" href="/static/css/lrqa/dialog-supports-not-selector-focus-visible.css?v=2.4.2" /> <link rel="stylesheet" href="/static/css/lrqa/epiforms.css?v=2.4.2" /> <link rel="stylesheet" href="/static/css/lrqa/epiforms-media-min-width-64rem.css?v=2.4.2" /> <link rel="stylesheet" href="/static/css/lrqa/epiforms-media-prefers-reduced-motion-reduce.css?v=2.4.2" /> <link rel="stylesheet" href="/static/css/lrqa/epiforms-supports-not-margin-block-10px.css?v=2.4.2" /> <link rel="stylesheet" href="/static/css/lrqa/epiforms-supports-not-selector-focus-visible.css?v=2.4.2" /> <link rel="stylesheet" href="/static/css/lrqa/eventDetails.css?v=2.4.2" /> <link rel="stylesheet" href="/static/css/lrqa/eventDetails-supports-not-selectorp-hasp.css?v=2.4.2" /> <link rel="stylesheet" href="/static/css/lrqa/header.css?v=2.4.2" /> <link rel="stylesheet" href="/static/css/lrqa/header-media-max-width-63-9375rem-and-prefers-reduced-motion-reduce.css?v=2.4.2" /> <link rel="stylesheet" href="/static/css/lrqa/header-media-min-width-64rem-and-prefers-reduced-motion-reduce.css?v=2.4.2" /> <link rel="stylesheet" href="/static/css/lrqa/header-media-max-width-63-9375rem?v=2.4.2" /> <link rel="stylesheet" href="/static/css/lrqa/header-media-prefers-reduced-motion-reduce.css?v=2.4.2" /> <link rel="stylesheet" href="/static/css/lrqa/header-media-min-width-48rem.css?v=2.4.2" /> <link rel="stylesheet" href="/static/css/lrqa/header-media-max-width-63-9375rem.css?v=2.4.2" /> <link rel="stylesheet" href="/static/css/lrqa/header-supports-not-selector-focus-visible.css?v=2.4.2" /> <link rel="stylesheet" href="/static/css/lrqa/header-supports-not-margin-block-10px.css?v=2.4.2" /> <link rel="stylesheet" href="/static/css/lrqa/listing.css?v=2.4.2" /> <link rel="stylesheet" href="/static/css/lrqa/listing-media-min-width-64rem.css?v=2.4.2" /> <link rel="stylesheet" href="/static/css/lrqa/listing-media-prefers-reduced-motion-reduce.css?v=2.4.2" /> <link rel="stylesheet" href="/static/css/lrqa/listing-supports-not-selectorp-hasp.css?v=2.4.2" /> <link rel="stylesheet" href="/static/css/lrqa/listing-supports-not-selector-focus-visible.css?v=2.4.2" /> <link rel="stylesheet" href="/static/css/videoApi.css?v=2.4.2" /> </noscript> <script> !function(T,l,y){var S=T.location,k="script",D="instrumentationKey",C="ingestionendpoint",I="disableExceptionTracking",E="ai.device.",b="toLowerCase",w="crossOrigin",N="POST",e="appInsightsSDK",t=y.name||"appInsights";(y.name||T[e])&&(T[e]=t);var n=T[t]||function(d){var g=!1,f=!1,m={initialize:!0,queue:[],sv:"5",version:2,config:d};function v(e,t){var n={},a="Browser";return n[E+"id"]=a[b](),n[E+"type"]=a,n["ai.operation.name"]=S&&S.pathname||"_unknown_",n["ai.internal.sdkVersion"]="javascript:snippet_"+(m.sv||m.version),{time:function(){var e=new Date;function t(e){var t=""+e;return 1===t.length&&(t="0"+t),t}return e.getUTCFullYear()+"-"+t(1+e.getUTCMonth())+"-"+t(e.getUTCDate())+"T"+t(e.getUTCHours())+":"+t(e.getUTCMinutes())+":"+t(e.getUTCSeconds())+"."+((e.getUTCMilliseconds()/1e3).toFixed(3)+"").slice(2,5)+"Z"}(),iKey:e,name:"Microsoft.ApplicationInsights."+e.replace(/-/g,"")+"."+t,sampleRate:100,tags:n,data:{baseData:{ver:2}}}}var h=d.url||y.src;if(h){function a(e){var t,n,a,i,r,o,s,c,u,p,l;g=!0,m.queue=[],f||(f=!0,t=h,s=function(){var e={},t=d.connectionString;if(t)for(var n=t.split(";"),a=0;a<n.length;a++){var i=n[a].split("=");2===i.length&&(e[i[0][b]()]=i[1])}if(!e[C]){var r=e.endpointsuffix,o=r?e.location:null;e[C]="https://"+(o?o+".":"")+"dc."+(r||"services.visualstudio.com")}return e}(),c=s[D]||d[D]||"",u=s[C],p=u?u+"/v2/track":d.endpointUrl,(l=[]).push((n="SDK LOAD Failure: Failed to load Application Insights SDK script (See stack for details)",a=t,i=p,(o=(r=v(c,"Exception")).data).baseType="ExceptionData",o.baseData.exceptions=[{typeName:"SDKLoadFailed",message:n.replace(/\./g,"-"),hasFullStack:!1,stack:n+"\nSnippet failed to load ["+a+"] -- Telemetry is disabled\nHelp Link: https://go.microsoft.com/fwlink/?linkid=2128109\nHost: "+(S&&S.pathname||"_unknown_")+"\nEndpoint: "+i,parsedStack:[]}],r)),l.push(function(e,t,n,a){var i=v(c,"Message"),r=i.data;r.baseType="MessageData";var o=r.baseData;return o.message='AI (Internal): 99 message:"'+("SDK LOAD Failure: Failed to load Application Insights SDK script (See stack for details) ("+n+")").replace(/\"/g,"")+'"',o.properties={endpoint:a},i}(0,0,t,p)),function(e,t){if(JSON){var n=T.fetch;if(n&&!y.useXhr)n(t,{method:N,body:JSON.stringify(e),mode:"cors"});else if(XMLHttpRequest){var a=new XMLHttpRequest;a.open(N,t),a.setRequestHeader("Content-type","application/json"),a.send(JSON.stringify(e))}}}(l,p))}function i(e,t){f||setTimeout(function(){!t&&m.core||a()},500)}var e=function(){var n=l.createElement(k);n.src=h;var e=y[w];return!e&&""!==e||"undefined"==n[w]||(n[w]=e),n.onload=i,n.onerror=a,n.onreadystatechange=function(e,t){"loaded"!==n.readyState&&"complete"!==n.readyState||i(0,t)},n}();y.ld<0?l.getElementsByTagName("head")[0].appendChild(e):setTimeout(function(){l.getElementsByTagName(k)[0].parentNode.appendChild(e)},y.ld||0)}try{m.cookie=l.cookie}catch(p){}function t(e){for(;e.length;)!function(t){m[t]=function(){var e=arguments;g||m.queue.push(function(){m[t].apply(m,e)})}}(e.pop())}var n="track",r="TrackPage",o="TrackEvent";t([n+"Event",n+"PageView",n+"Exception",n+"Trace",n+"DependencyData",n+"Metric",n+"PageViewPerformance","start"+r,"stop"+r,"start"+o,"stop"+o,"addTelemetryInitializer","setAuthenticatedUserContext","clearAuthenticatedUserContext","flush"]),m.SeverityLevel={Verbose:0,Information:1,Warning:2,Error:3,Critical:4};var s=(d.extensionConfig||{}).ApplicationInsightsAnalytics||{};if(!0!==d[I]&&!0!==s[I]){var c="onerror";t(["_"+c]);var u=T[c];T[c]=function(e,t,n,a,i){var r=u&&u(e,t,n,a,i);return!0!==r&&m["_"+c]({message:e,url:t,lineNumber:n,columnNumber:a,error:i}),r},d.autoExceptionInstrumented=!0}return m}(y.cfg);function a(){y.onInit&&y.onInit(n)}(T[t]=n).queue&&0===n.queue.length?(n.queue.push(a),n.trackPageView({})):a()}(window,document,{src: "https://js.monitor.azure.com/scripts/b/ai.2.gbl.min.js", crossOrigin: "anonymous", cfg: { instrumentationKey:'e654df26-006c-4a39-805f-2b3fec1e1bb3', disableCookiesUsage: false }}); </script> <meta property="og:title" content="Cloud penetration testing - an essential guide"> <meta property="og:url" content="https://www.lrqa.com/en/insights/articles/cloud-penetration-testing-an-essential-guide/"> <meta property="og:locale" content="en"> <meta property="og:site_name" content="LRQA"> <meta property="og:type" content="website"> <meta name="twitter:card" content="summary"> <meta name="twitter:site" content="@lrqa"> <meta name="twitter:title" content="Cloud penetration testing - an essential guide"> <meta name="twitter:url" content="https://www.lrqa.com/en/insights/articles/cloud-penetration-testing-an-essential-guide/"> </head> <body class="lrqa"> <div class="skipToContent"> <a href="#content" class="cta">Skip content</a> </div> <header class="pageHeader"> <div class="pageHeaderWrap"> <div class="pageHeaderLocal"> <button class="pageHeaderLocalLanguage" type="button"> <span class="pageHeaderLocalLanguageText"> Global (English) </span> <svg focusable="false" class="pageHeaderLocalLanguageIcon"> <use href="/static/images/svg.svg#svg-chevron"></use> </svg> </button> <div class="pageHeaderLocalRegionSelMenu"> <form class="pageHeaderLocalRegionSelForm" id="regionLangSelect"> <label for="regionLangSelectInput" class="offscreen">Language Selector</label> <input id="regionLangSelectInput" name="langSearch" class="pageHeaderLocalRegionSelInput" type="text" placeholder="Type location"> <button type="submit" class="pageHeaderLocalRegionSelSubmit"> <svg focusable="false" class="pageHeaderLocalRegionSelSubmitIcon"> <title>Submit</title> <use href="/static/images/svg.svg#svg-search"></use> </svg> </button> </form> <ul class="pageHeaderLocalRegionSelList"> <li class="pageHeaderLocalRegionSelItem"> <a href="/en/insights/articles/cloud-penetration-testing-an-essential-guide/" class="pageHeaderLocalRegionSelItemLink" tabindex="-1" aria-current="true" lang="en"> <span class="localLangTrans">Global (English)</span> <span class="localLang" lang="en">Global (English)</span> <svg focusable="false" class="localLangIcon"> <use href="/static/images/svg.svg#svg-tick"></use> </svg> </a> </li> <li class="pageHeaderLocalRegionSelItem"> <a href="/en-gb/insights/articles/cloud-penetration-testing-an-essential-guide/" class="pageHeaderLocalRegionSelItemLink" lang="en-GB"> <span class="localLangTrans">United Kingdom (English)</span> <span class="localLang" lang="en">United Kingdom (English)</span> </a> </li> </ul> <p class="pageHeaderLocalRegionSelMenuText"></p> </div> </div> <ul class="pageHeaderButtonWrap pageHeaderEyebrow"> <li class="pageHeaderButton"> <a href="/en/who-we-are/" class="pageHeaderEyebrowLink"> <span class="text"> About us </span> </a> </li> <li class="pageHeaderButton"> <a href="/en/client-portal/" class="pageHeaderEyebrowLink"> <span class="text"> Client login </span> </a> </li> <li class="pageHeaderButton"> <a href="/en/emergency-incident-response-services/" class="pageHeaderEyebrowLink"> <span class="text"> &#x26A0;&#xFE0F; Report a Cyber Incident </span> </a> </li> <li class="pageHeaderButton"> <a href="/en/contact-us/" class="pageHeaderEyebrowContact cta"> <span class="text"> Contact us </span> </a> </li> </ul> <div class="pageHeaderLogo"> <a href="/en/" class="pageHeaderLogoLink"> <svg focusable="false"> <title>Logo</title> <use href="/static/images/svg.svg#svg-lrqaLogo"></use> </svg> </a> </div> <div class="pageHeaderButton nav"> <button type="button"> <span class="icon"> <svg focusable="false"> <use href="/static/images/svg.svg#svg-menu"></use> </svg> </span> <span class="text"> Menu </span> <span class="icon"> <svg focusable="false"> <use href="/static/images/svg.svg#svg-cross"></use> </svg> </span> <span class="text"> Close </span> </button> </div> <div class="pageHeaderNav" inert=""> <nav class="navigation"> <ul class="navigationList level1"> <li class="navigationListItem"> <button class="navigationListItemLink hasSubNav"> <span class="icon"> <svg focusable="false" class="arrow-mobile"> <use href="/static/images/svg.svg#svg-arrow"></use> </svg> </span> <span class="icon"> <svg focusable="false" class="arrow-desktop"> <use href="/static/images/svg.svg#svg-chevron"></use> </svg> </span> <span class="text"> Assurance 4.0 </span> </button> <ul class="navigationList level2"> <li class="navigationListItem back"> <button type="button" class="navigationListItemLink"> <span class="icon"> <svg focusable="false"> <use href="/static/images/svg.svg#svg-arrow"></use> </svg> </span> <span class="text"> Back </span> </button> </li> <li class="navigationListItem parentLink"> <a class="navigationListItemLink" href="/en/who-we-are/assurance-4/" target="_self"> <span class="text">Assurance 4.0</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/assure-assets-and-management-systems/" target="_self"> <span class="text">Assure Assets and Management Systems</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/achieve-product-integrity/" target="_self"> <span class="text">Achieve Product Integrity</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/source-responsibly/" target="_self"> <span class="text">Source Responsibly</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/navigate-the-energy-transition-and-achieve-net-zero/" target="_self"> <span class="text">Navigate the Energy Transition and Achieve Net Zero</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/strengthen-cybersecurity-maturity/" target="_self"> <span class="text">Strengthen Cyber Security Maturity</span> </a> </li> </ul> </li> <li class="navigationListItem"> <button class="navigationListItemLink hasSubNav"> <span class="icon"> <svg focusable="false" class="arrow-mobile"> <use href="/static/images/svg.svg#svg-arrow"></use> </svg> </span> <span class="icon"> <svg focusable="false" class="arrow-desktop"> <use href="/static/images/svg.svg#svg-chevron"></use> </svg> </span> <span class="text"> Sectors </span> </button> <ul class="navigationList level2"> <li class="navigationListItem back"> <button type="button" class="navigationListItemLink"> <span class="icon"> <svg focusable="false"> <use href="/static/images/svg.svg#svg-arrow"></use> </svg> </span> <span class="text"> Back </span> </button> </li> <li class="navigationListItem parentLink"> <a class="navigationListItemLink" href="/en/sectors/" target="_self"> <span class="text">Sectors</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/food-beverage-hospitality/" target="_self"> <span class="text">Food and Beverage</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/financial-and-professional-services/" target="_self"> <span class="text">Financial and Professional Services</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/energy-renewables/" target="_self"> <span class="text">Energy and Renewables</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/transport-logistics/" target="_self"> <span class="text">Transportation and Mobility</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/ict-telecoms/" target="_self"> <span class="text">Technology and Telecommunications</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/consumer-goods-and-retail/" target="_self"> <span class="text">Consumer Goods and Retail</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/construction-industry/" target="_self"> <span class="text">Construction and Engineering</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/healthcare-medical/" target="_self"> <span class="text">Healthcare and Medical</span> </a> </li> <li class="navigationListItem extraLinkText"> <a class="navigationListItemLink" href="/en/contact-us/"> <span class="text">Can&#x27;t see your sector?</span> </a> </li> </ul> </li> <li class="navigationListItem"> <button class="navigationListItemLink hasSubNav"> <span class="icon"> <svg focusable="false" class="arrow-mobile"> <use href="/static/images/svg.svg#svg-arrow"></use> </svg> </span> <span class="icon"> <svg focusable="false" class="arrow-desktop"> <use href="/static/images/svg.svg#svg-chevron"></use> </svg> </span> <span class="text"> Services </span> </button> <ul class="navigationList level2"> <li class="navigationListItem back"> <button type="button" class="navigationListItemLink"> <span class="icon"> <svg focusable="false"> <use href="/static/images/svg.svg#svg-arrow"></use> </svg> </span> <span class="text"> Back </span> </button> </li> <li class="navigationListItem parentLink"> <a class="navigationListItemLink" href="/en/services/" target="_self"> <span class="text">Services</span> </a> </li> <li class="navigationListItem"> <button class="navigationListItemLink hasSubNav"> <span class="icon"> <svg focusable="false" class="arrow-mobile"> <use href="/static/images/svg.svg#svg-arrow"></use> </svg> </span> <span class="icon"> <svg focusable="false" class="arrow-desktop"> <use href="/static/images/svg.svg#svg-chevron"></use> </svg> </span> <span class="text"> Assessment and Certification </span> </button> <ul class="navigationList level3"> <li class="navigationListItem back"> <button type="button" class="navigationListItemLink"> <span class="icon"> <svg focusable="false"> <use href="/static/images/svg.svg#svg-arrow"></use> </svg> </span> <span class="text"> Back </span> </button> </li> <li class="navigationListItem parentLink"> <a class="navigationListItemLink" href="/en/assessment-certification/" target="_self"> <span class="text">Assessment and Certification</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/transfer-certification-to-lrqa/" target="_self"> <span class="text">Transfer your Certification to LRQA</span> </a> </li> <li class="navigationListItem"> <button class="navigationListItemLink hasSubNav"> <span class="icon"> <svg focusable="false" class="arrow-mobile"> <use href="/static/images/svg.svg#svg-arrow"></use> </svg> </span> <span class="icon"> <svg focusable="false" class="arrow-desktop"> <use href="/static/images/svg.svg#svg-chevron"></use> </svg> </span> <span class="text"> Quality, Environment, Health and Safety </span> </button> <ul class="navigationList level4"> <li class="navigationListItem back"> <button type="button" class="navigationListItemLink"> <span class="icon"> <svg focusable="false"> <use href="/static/images/svg.svg#svg-arrow"></use> </svg> </span> <span class="text"> Back </span> </button> </li> <li class="navigationListItem parentLink"> <a class="navigationListItemLink" href="/en/quality-health-and-safety-and-environmental/" target="_self"> <span class="text">Quality, Environment, Health and Safety</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/iso-9001/" target="_self"> <span class="text">ISO 9001 Certification</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/iso-14001/" target="_self"> <span class="text">ISO 14001 Certification</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/iso-45001/" target="_self"> <span class="text">ISO 45001 Certification</span> </a> </li> </ul> </li> <li class="navigationListItem"> <button class="navigationListItemLink hasSubNav"> <span class="icon"> <svg focusable="false" class="arrow-mobile"> <use href="/static/images/svg.svg#svg-arrow"></use> </svg> </span> <span class="icon"> <svg focusable="false" class="arrow-desktop"> <use href="/static/images/svg.svg#svg-chevron"></use> </svg> </span> <span class="text"> Food and Beverage </span> </button> <ul class="navigationList level4"> <li class="navigationListItem back"> <button type="button" class="navigationListItemLink"> <span class="icon"> <svg focusable="false"> <use href="/static/images/svg.svg#svg-arrow"></use> </svg> </span> <span class="text"> Back </span> </button> </li> <li class="navigationListItem parentLink"> <a class="navigationListItemLink" href="/en/food-beverage-hospitality/" target="_self"> <span class="text">Food and Beverage</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/fssc-22000/" target="_self"> <span class="text">FSSC 22000 Certification</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/brcgs-food-safety/" target="_self"> <span class="text">BRCGS Certification</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/2nd-party-audit-programmes/" target="_self"> <span class="text">2nd Party Audits</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/iso-22000/" target="_self"> <span class="text">ISO 22000 Certification</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/ifs/" target="_self"> <span class="text">IFS Certification</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/sqf-certification/" target="_self"> <span class="text">SQF Certification</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/haccp/" target="_self"> <span class="text">HACCP Certification</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/food-labelling-regulation-advisory-services/" target="_self"> <span class="text">Food Labelling</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/gsa-bap/" target="_self"> <span class="text">GSA BAP Certification</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/msc/" target="_self"> <span class="text">MSC Certification</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/asc/" target="_self"> <span class="text">ASC Certification</span> </a> </li> </ul> </li> <li class="navigationListItem"> <button class="navigationListItemLink hasSubNav"> <span class="icon"> <svg focusable="false" class="arrow-mobile"> <use href="/static/images/svg.svg#svg-arrow"></use> </svg> </span> <span class="icon"> <svg focusable="false" class="arrow-desktop"> <use href="/static/images/svg.svg#svg-chevron"></use> </svg> </span> <span class="text"> Sustainability and Responsible Sourcing </span> </button> <ul class="navigationList level4"> <li class="navigationListItem back"> <button type="button" class="navigationListItemLink"> <span class="icon"> <svg focusable="false"> <use href="/static/images/svg.svg#svg-arrow"></use> </svg> </span> <span class="text"> Back </span> </button> </li> <li class="navigationListItem parentLink"> <a class="navigationListItemLink" href="/en/climate-change-sustainability/" target="_self"> <span class="text">Sustainability and Responsible Sourcing</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/iso-14064/" target="_self"> <span class="text">ISO 14064 Certification</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/iso-50001/" target="_self"> <span class="text">ISO 50001 Certification</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/iso-46001/" target="_self"> <span class="text">ISO 46001 Certification</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/smeta/" target="_self"> <span class="text">Sedex Members Ethical Trade Audit (SMETA)</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/amfori-bsci-business-social-compliance-initiative/" target="_self"> <span class="text">Amfori BSCI</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/farm-first-assurance-scheme/" target="_self"> <span class="text">Farm First</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/ersa-responsible-sourcing-assessment/" target="_self"> <span class="text">ERSA</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/social-labour-convergence-program-slcp/" target="_self"> <span class="text">Social and Labour Convergence Programme (SLCP)</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/initiative-for-compliance-and-sustainability/" target="_self"> <span class="text">Initiative for Compliance and Sustainability (ICS)</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/rba-vap-validated-assessment-program/" target="_self"> <span class="text">Responsible Business Alliance - Validated Assessment Program (RBA-VAP)</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/worldwide-responsible-accredited-production/" target="_self"> <span class="text">Worldwide Responsible Accredited Production (WRAP)</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/eu-ets/" target="_self"> <span class="text">EU ETS</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/responsible-plastic-management/" target="_self"> <span class="text">Responsible Plastic Management</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/lrqa-worker-surveys/" target="_self"> <span class="text">LRQA Worker Surveys</span> </a> </li> </ul> </li> <li class="navigationListItem"> <button class="navigationListItemLink hasSubNav"> <span class="icon"> <svg focusable="false" class="arrow-mobile"> <use href="/static/images/svg.svg#svg-arrow"></use> </svg> </span> <span class="icon"> <svg focusable="false" class="arrow-desktop"> <use href="/static/images/svg.svg#svg-chevron"></use> </svg> </span> <span class="text"> Information Security Management </span> </button> <ul class="navigationList level4"> <li class="navigationListItem back"> <button type="button" class="navigationListItemLink"> <span class="icon"> <svg focusable="false"> <use href="/static/images/svg.svg#svg-arrow"></use> </svg> </span> <span class="text"> Back </span> </button> </li> <li class="navigationListItem parentLink"> <a class="navigationListItemLink" href="/en/information-security-management/" target="_self"> <span class="text">Information Security Management</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/iso-27001/" target="_self"> <span class="text">ISO 27001 Certification</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/iso-27701/" target="_self"> <span class="text">ISO 27701 Certification</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/iso-20000/" target="_self"> <span class="text">ISO 20000-1 Certification</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/iso-22301/" target="_self"> <span class="text">ISO 22301 Certification</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/csa-star/" target="_self"> <span class="text">CSA STAR Certification</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/iso-42001-ai-management-system-certification/" target="_self"> <span class="text">ISO 42001 Certification</span> </a> </li> </ul> </li> <li class="navigationListItem"> <button class="navigationListItemLink hasSubNav"> <span class="icon"> <svg focusable="false" class="arrow-mobile"> <use href="/static/images/svg.svg#svg-arrow"></use> </svg> </span> <span class="icon"> <svg focusable="false" class="arrow-desktop"> <use href="/static/images/svg.svg#svg-chevron"></use> </svg> </span> <span class="text"> Automotive and Aerospace </span> </button> <ul class="navigationList level4"> <li class="navigationListItem back"> <button type="button" class="navigationListItemLink"> <span class="icon"> <svg focusable="false"> <use href="/static/images/svg.svg#svg-arrow"></use> </svg> </span> <span class="text"> Back </span> </button> </li> <li class="navigationListItem parentLink"> <a class="navigationListItemLink" href="/en/automotive-aerospace/" target="_self"> <span class="text">Automotive and Aerospace</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/iatf-16949/" target="_self"> <span class="text">IATF 16949 Certification</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/as9100/" target="_self"> <span class="text">AS 9100 Certification</span> </a> </li> </ul> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/iso-13485/" target="_self"> <span class="text">Medical - ISO 13485 Certification</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/iso-29001/" target="_self"> <span class="text">Oil and Gas - ISO 29001 Certification</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/client-specific-programmes/" target="_self"> <span class="text">Client-Specific Programmes</span> </a> </li> </ul> </li> <li class="navigationListItem"> <button class="navigationListItemLink hasSubNav"> <span class="icon"> <svg focusable="false" class="arrow-mobile"> <use href="/static/images/svg.svg#svg-arrow"></use> </svg> </span> <span class="icon"> <svg focusable="false" class="arrow-desktop"> <use href="/static/images/svg.svg#svg-chevron"></use> </svg> </span> <span class="text"> Inspection Services </span> </button> <ul class="navigationList level3"> <li class="navigationListItem back"> <button type="button" class="navigationListItemLink"> <span class="icon"> <svg focusable="false"> <use href="/static/images/svg.svg#svg-arrow"></use> </svg> </span> <span class="text"> Back </span> </button> </li> <li class="navigationListItem parentLink"> <a class="navigationListItemLink" href="/en/inspection-services/" target="_self"> <span class="text">Inspection Services</span> </a> </li> <li class="navigationListItem"> <button class="navigationListItemLink hasSubNav"> <span class="icon"> <svg focusable="false" class="arrow-mobile"> <use href="/static/images/svg.svg#svg-arrow"></use> </svg> </span> <span class="icon"> <svg focusable="false" class="arrow-desktop"> <use href="/static/images/svg.svg#svg-chevron"></use> </svg> </span> <span class="text"> Product, System and Process Certification </span> </button> <ul class="navigationList level4"> <li class="navigationListItem back"> <button type="button" class="navigationListItemLink"> <span class="icon"> <svg focusable="false"> <use href="/static/images/svg.svg#svg-arrow"></use> </svg> </span> <span class="text"> Back </span> </button> </li> <li class="navigationListItem parentLink"> <a class="navigationListItemLink" href="/en/codes-standards-regulations/" target="_self"> <span class="text">Product, System and Process Certification</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/asme-code-services/" target="_self"> <span class="text">ASME</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/pressure-equipment-directive/" target="_self"> <span class="text">Pressure Equipment Directive (PED)</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/product-certification/national-approvals/" target="_self"> <span class="text">National Approvals</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/product-certification/ce-marking-and-eu-directives/" target="_self"> <span class="text">EU Directives</span> </a> </li> </ul> </li> <li class="navigationListItem"> <button class="navigationListItemLink hasSubNav"> <span class="icon"> <svg focusable="false" class="arrow-mobile"> <use href="/static/images/svg.svg#svg-arrow"></use> </svg> </span> <span class="icon"> <svg focusable="false" class="arrow-desktop"> <use href="/static/images/svg.svg#svg-chevron"></use> </svg> </span> <span class="text"> Welding and Material Services </span> </button> <ul class="navigationList level4"> <li class="navigationListItem back"> <button type="button" class="navigationListItemLink"> <span class="icon"> <svg focusable="false"> <use href="/static/images/svg.svg#svg-arrow"></use> </svg> </span> <span class="text"> Back </span> </button> </li> <li class="navigationListItem parentLink"> <a class="navigationListItemLink" href="/en/materials-and-welding/" target="_self"> <span class="text">Welding and Material Services</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/materials-and-welding/en-10204-type-3-2-certification-services/" target="_self"> <span class="text">EN 10204 Type 3.2</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/materials-and-welding/iso-3834/" target="_self"> <span class="text">ISO 3834 Certification</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/materials-and-welding/welding-operator-qualification/" target="_self"> <span class="text">Welding Procedure and Welder Operator Qualification</span> </a> </li> </ul> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/containers/" target="_self"> <span class="text">Container Certification</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/product-certification/type-approval/" target="_self"> <span class="text">Type Approval</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/utilities/" target="_self"> <span class="text">Utilities Schemes</span> </a> </li> <li class="navigationListItem"> <button class="navigationListItemLink hasSubNav"> <span class="icon"> <svg focusable="false" class="arrow-mobile"> <use href="/static/images/svg.svg#svg-arrow"></use> </svg> </span> <span class="icon"> <svg focusable="false" class="arrow-desktop"> <use href="/static/images/svg.svg#svg-chevron"></use> </svg> </span> <span class="text"> Construction Scheme </span> </button> <ul class="navigationList level4"> <li class="navigationListItem back"> <button type="button" class="navigationListItemLink"> <span class="icon"> <svg focusable="false"> <use href="/static/images/svg.svg#svg-arrow"></use> </svg> </span> <span class="text"> Back </span> </button> </li> <li class="navigationListItem parentLink"> <a class="navigationListItemLink" href="/en/construction-industry/" target="_self"> <span class="text">Construction Scheme</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/construction-industry/building-information-modelling-bim/" target="_self"> <span class="text">BIM and ISO 19650</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/construction-industry/buildoffsite-property-assurance-scheme-bopas/" target="_self"> <span class="text">BOPAS</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/construction-products-regulation/" target="_self"> <span class="text">Construction Products Regulation (CPR)</span> </a> </li> </ul> </li> <li class="navigationListItem"> <button class="navigationListItemLink hasSubNav"> <span class="icon"> <svg focusable="false" class="arrow-mobile"> <use href="/static/images/svg.svg#svg-arrow"></use> </svg> </span> <span class="icon"> <svg focusable="false" class="arrow-desktop"> <use href="/static/images/svg.svg#svg-chevron"></use> </svg> </span> <span class="text"> Energy Transition Services </span> </button> <ul class="navigationList level4"> <li class="navigationListItem back"> <button type="button" class="navigationListItemLink"> <span class="icon"> <svg focusable="false"> <use href="/static/images/svg.svg#svg-arrow"></use> </svg> </span> <span class="text"> Back </span> </button> </li> <li class="navigationListItem parentLink"> <a class="navigationListItemLink" href="/en/energy-transition-services/" target="_self"> <span class="text">Energy Transition Services</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/hydrogen-net-zero-manufacturing/" target="_self"> <span class="text">Hydrogen Projects</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/nuclear-supply-chain-inspection/" target="_self"> <span class="text">Nuclear Projects</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/solar-projects-assurance/" target="_self"> <span class="text">Solar Projects</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/wind-projects-assurance/" target="_self"> <span class="text">Wind Projects</span> </a> </li> </ul> </li> <li class="navigationListItem"> <button class="navigationListItemLink hasSubNav"> <span class="icon"> <svg focusable="false" class="arrow-mobile"> <use href="/static/images/svg.svg#svg-arrow"></use> </svg> </span> <span class="icon"> <svg focusable="false" class="arrow-desktop"> <use href="/static/images/svg.svg#svg-chevron"></use> </svg> </span> <span class="text"> Technical Advisory </span> </button> <ul class="navigationList level4"> <li class="navigationListItem back"> <button type="button" class="navigationListItemLink"> <span class="icon"> <svg focusable="false"> <use href="/static/images/svg.svg#svg-arrow"></use> </svg> </span> <span class="text"> Back </span> </button> </li> <li class="navigationListItem parentLink"> <p class="navigationListItemLink"> <span class="text">Technical Advisory</span> </p> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/additive-manufacturing/" target="_self"> <span class="text">Additive Manufacturing</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/technical-advisory-services/" target="_self"> <span class="text">Other Technical Advisory Services</span> </a> </li> </ul> </li> <li class="navigationListItem"> <button class="navigationListItemLink hasSubNav"> <span class="icon"> <svg focusable="false" class="arrow-mobile"> <use href="/static/images/svg.svg#svg-arrow"></use> </svg> </span> <span class="icon"> <svg focusable="false" class="arrow-desktop"> <use href="/static/images/svg.svg#svg-chevron"></use> </svg> </span> <span class="text"> Supply Chain and Vendor Inspection </span> </button> <ul class="navigationList level4"> <li class="navigationListItem back"> <button type="button" class="navigationListItemLink"> <span class="icon"> <svg focusable="false"> <use href="/static/images/svg.svg#svg-arrow"></use> </svg> </span> <span class="text"> Back </span> </button> </li> <li class="navigationListItem parentLink"> <a class="navigationListItemLink" href="/en/supply-chain-inspection/" target="_self"> <span class="text">Supply Chain and Vendor Inspection</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/manufacturing-industry/cranes-lifting-equipment/" target="_self"> <span class="text">Cranes and Lifting Equipment</span> </a> </li> </ul> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/remote-inspection/" target="_self"> <span class="text">Remote Inspection</span> </a> </li> </ul> </li> <li class="navigationListItem"> <button class="navigationListItemLink hasSubNav"> <span class="icon"> <svg focusable="false" class="arrow-mobile"> <use href="/static/images/svg.svg#svg-arrow"></use> </svg> </span> <span class="icon"> <svg focusable="false" class="arrow-desktop"> <use href="/static/images/svg.svg#svg-chevron"></use> </svg> </span> <span class="text"> Cyber Security Services </span> </button> <ul class="navigationList level3"> <li class="navigationListItem back"> <button type="button" class="navigationListItemLink"> <span class="icon"> <svg focusable="false"> <use href="/static/images/svg.svg#svg-arrow"></use> </svg> </span> <span class="text"> Back </span> </button> </li> <li class="navigationListItem parentLink"> <a class="navigationListItemLink" href="/en/cyber-security-services/" target="_self"> <span class="text">Cyber Security Services</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/emergency-incident-response-services/" target="_self"> <span class="text">&#x26A0;&#xFE0F; Report a Cyber Incident</span> </a> </li> <li class="navigationListItem"> <button class="navigationListItemLink hasSubNav"> <span class="icon"> <svg focusable="false" class="arrow-mobile"> <use href="/static/images/svg.svg#svg-arrow"></use> </svg> </span> <span class="icon"> <svg focusable="false" class="arrow-desktop"> <use href="/static/images/svg.svg#svg-chevron"></use> </svg> </span> <span class="text"> Cyber Advisory </span> </button> <ul class="navigationList level4"> <li class="navigationListItem back"> <button type="button" class="navigationListItemLink"> <span class="icon"> <svg focusable="false"> <use href="/static/images/svg.svg#svg-arrow"></use> </svg> </span> <span class="text"> Back </span> </button> </li> <li class="navigationListItem parentLink"> <a class="navigationListItemLink" href="/en/cyber-security-advisory-services/" target="_self"> <span class="text">Cyber Advisory</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/threat-intelligence-services/" target="_self"> <span class="text">Threat Intelligence Services</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/virtual-ciso/" target="_self"> <span class="text">Virtual CISO Services</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/threatwatcher/" target="_self"> <span class="text">ThreatWatcher</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/threat-modelling/" target="_self"> <span class="text">Threat Modelling</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/regulatory-compliance-testing/" target="_self"> <span class="text">Regulatory Compliance Testing</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/red-teaming/" target="_self"> <span class="text">Red Teaming</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/purple-teaming/" target="_self"> <span class="text">Purple Teaming</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/cyber-security-maturity-assessment/" target="_self"> <span class="text">Cyber Security Maturity Assessment</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/mergers-and-acquisition-due-diligence/" target="_self"> <span class="text">Merger and Aquisitions Due Diligence</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/offensive-cyber-security-training/" target="_self"> <span class="text">Offensive Cyber Security Training</span> </a> </li> </ul> </li> <li class="navigationListItem"> <button class="navigationListItemLink hasSubNav"> <span class="icon"> <svg focusable="false" class="arrow-mobile"> <use href="/static/images/svg.svg#svg-arrow"></use> </svg> </span> <span class="icon"> <svg focusable="false" class="arrow-desktop"> <use href="/static/images/svg.svg#svg-chevron"></use> </svg> </span> <span class="text"> Governance, Risk and Compliance </span> </button> <ul class="navigationList level4"> <li class="navigationListItem back"> <button type="button" class="navigationListItemLink"> <span class="icon"> <svg focusable="false"> <use href="/static/images/svg.svg#svg-arrow"></use> </svg> </span> <span class="text"> Back </span> </button> </li> <li class="navigationListItem parentLink"> <a class="navigationListItemLink" href="/en/governance-risk-compliance-services/" target="_self"> <span class="text">Governance, Risk and Compliance</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/pci-dss-assessments/" target="_self"> <span class="text">PCI DSS Consultancy and Assessments</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/security-awareness-training/" target="_self"> <span class="text">Security Awareness Training</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/dora-compliance/" target="_self"> <span class="text">DORA Compliance</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/iso-27001/" target="_self"> <span class="text">ISO 27001 Certification</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/nist-cyber-security-framework/" target="_self"> <span class="text">NIST Cyber Security Framework</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/ncsc-ten-steps-to-cyber-security-assessment/" target="_self"> <span class="text">NCSC 10 Steps to Cyber Security</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/caa-assure-cyber-audit/" target="_self"> <span class="text">CAA ASSURE Cyber Audit</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/vendor-security-review/" target="_self"> <span class="text">Vendor Security Review</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/policies-procedures-creation-review/" target="_self"> <span class="text">Policies Procedures Creation and Review</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/cyber-essentials-certification/" target="_self"> <span class="text">Cyber Essentials Certification</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/cyber-security-risk-assessment/" target="_self"> <span class="text">Cyber Security Risk Assessment</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/information-security-management/" target="_self"> <span class="text">Cloud Security and Privacy</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/cmmc-compliance/" target="_self"> <span class="text">CMMC Compliance</span> </a> </li> </ul> </li> <li class="navigationListItem"> <button class="navigationListItemLink hasSubNav"> <span class="icon"> <svg focusable="false" class="arrow-mobile"> <use href="/static/images/svg.svg#svg-arrow"></use> </svg> </span> <span class="icon"> <svg focusable="false" class="arrow-desktop"> <use href="/static/images/svg.svg#svg-chevron"></use> </svg> </span> <span class="text"> Managed Cyber Security Services </span> </button> <ul class="navigationList level4"> <li class="navigationListItem back"> <button type="button" class="navigationListItemLink"> <span class="icon"> <svg focusable="false"> <use href="/static/images/svg.svg#svg-arrow"></use> </svg> </span> <span class="text"> Back </span> </button> </li> <li class="navigationListItem parentLink"> <a class="navigationListItemLink" href="/en/managed-security-services/" target="_self"> <span class="text">Managed Cyber Security Services</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/soc-as-a-service/" target="_self"> <span class="text">SOC-as-a-Service (SOCaaS)</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/network-detection-and-response/" target="_self"> <span class="text">Network Detection and Response (NDR)</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/extended-detection-and-response/" target="_self"> <span class="text">Extended Detection and Response (XDR)</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/managed-detection-and-response/" target="_self"> <span class="text">Managed Detection and Response (MDR)</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/security-information-and-event-management-siem-services/" target="_self"> <span class="text">Security Information and Event Management (SIEM)</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/endpoint-detection-and-response/" target="_self"> <span class="text">Endpoint Detection and Response (EDR)</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/virtual-ciso/" target="_self"> <span class="text">Virtual CISO Services</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/digital-forensics-and-incident-response/" target="_self"> <span class="text">Digital Forensics and Incident Response</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/managed-vulnerability-scanning/" target="_self"> <span class="text">Vulnerability Scanning</span> </a> </li> </ul> </li> <li class="navigationListItem"> <button class="navigationListItemLink hasSubNav"> <span class="icon"> <svg focusable="false" class="arrow-mobile"> <use href="/static/images/svg.svg#svg-arrow"></use> </svg> </span> <span class="icon"> <svg focusable="false" class="arrow-desktop"> <use href="/static/images/svg.svg#svg-chevron"></use> </svg> </span> <span class="text"> Incident Response </span> </button> <ul class="navigationList level4"> <li class="navigationListItem back"> <button type="button" class="navigationListItemLink"> <span class="icon"> <svg focusable="false"> <use href="/static/images/svg.svg#svg-arrow"></use> </svg> </span> <span class="text"> Back </span> </button> </li> <li class="navigationListItem parentLink"> <a class="navigationListItemLink" href="/en/incident-response-services/" target="_self"> <span class="text">Incident Response</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/digital-forensics-and-incident-response/" target="_self"> <span class="text">Digital Forensics and Incident Response</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/emergency-incident-response-services/" target="_self"> <span class="text">Emergency Incident Response</span> </a> </li> </ul> </li> <li class="navigationListItem"> <button class="navigationListItemLink hasSubNav"> <span class="icon"> <svg focusable="false" class="arrow-mobile"> <use href="/static/images/svg.svg#svg-arrow"></use> </svg> </span> <span class="icon"> <svg focusable="false" class="arrow-desktop"> <use href="/static/images/svg.svg#svg-chevron"></use> </svg> </span> <span class="text"> Cyber Security Testing </span> </button> <ul class="navigationList level4"> <li class="navigationListItem back"> <button type="button" class="navigationListItemLink"> <span class="icon"> <svg focusable="false"> <use href="/static/images/svg.svg#svg-arrow"></use> </svg> </span> <span class="text"> Back </span> </button> </li> <li class="navigationListItem parentLink"> <a class="navigationListItemLink" href="/en/cyber-security-testing/" target="_self"> <span class="text">Cyber Security Testing</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/penetration-testing/" target="_self"> <span class="text">Penetration Testing Services</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/web-application-penetration-testing/" target="_self"> <span class="text">Web Application Penetration Testing</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/mobile-application-penetration-testing/" target="_self"> <span class="text">Mobile Application Penetration Testing</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/cloud-penetration-testing/" target="_self"> <span class="text">Cloud Penetration Testing</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/continuous-assurance/" target="_self"> <span class="text">Continuous Assurance</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/red-teaming/" target="_self"> <span class="text">Red Teaming</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/purple-teaming/" target="_self"> <span class="text">Purple Teaming</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/social-engineering/" target="_self"> <span class="text">Social Engineering</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/bug-bounty-program/" target="_self"> <span class="text">Bug Bounty Program</span> </a> </li> </ul> </li> <li class="navigationListItem"> <button class="navigationListItemLink hasSubNav"> <span class="icon"> <svg focusable="false" class="arrow-mobile"> <use href="/static/images/svg.svg#svg-arrow"></use> </svg> </span> <span class="icon"> <svg focusable="false" class="arrow-desktop"> <use href="/static/images/svg.svg#svg-chevron"></use> </svg> </span> <span class="text"> Cyber Insurance Services </span> </button> <ul class="navigationList level4"> <li class="navigationListItem back"> <button type="button" class="navigationListItemLink"> <span class="icon"> <svg focusable="false"> <use href="/static/images/svg.svg#svg-arrow"></use> </svg> </span> <span class="text"> Back </span> </button> </li> <li class="navigationListItem parentLink"> <p class="navigationListItemLink"> <span class="text">Cyber Insurance Services</span> </p> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/cyber-insurance-service-partner/" target="_self"> <span class="text">Cyber Insurance Partner</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/cyber-insurance-services/" target="_self"> <span class="text">Cyber Insurance</span> </a> </li> </ul> </li> </ul> </li> <li class="navigationListItem"> <button class="navigationListItemLink hasSubNav"> <span class="icon"> <svg focusable="false" class="arrow-mobile"> <use href="/static/images/svg.svg#svg-arrow"></use> </svg> </span> <span class="icon"> <svg focusable="false" class="arrow-desktop"> <use href="/static/images/svg.svg#svg-chevron"></use> </svg> </span> <span class="text"> Verification and Report Assurance </span> </button> <ul class="navigationList level3"> <li class="navigationListItem back"> <button type="button" class="navigationListItemLink"> <span class="icon"> <svg focusable="false"> <use href="/static/images/svg.svg#svg-arrow"></use> </svg> </span> <span class="text"> Back </span> </button> </li> <li class="navigationListItem parentLink"> <a class="navigationListItemLink" href="/en/assurance-services/" target="_self"> <span class="text">Verification and Report Assurance</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/organisational-ghg-carbon-verification/" target="_self"> <span class="text">Organisational GHG and Carbon Verification</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/environmental-social-verification/" target="_self"> <span class="text">Environmental and Social Verification</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/product-carbon-footprinting/" target="_self"> <span class="text">Product Carbon Footprinting</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/carbon-neutrality/" target="_self"> <span class="text">Carbon Neutrality</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/regulatory-emission-schemes/" target="_self"> <span class="text">Regulatory Emission Schemes</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/sector-carbon-standards/" target="_self"> <span class="text">Sector Carbon Standards</span> </a> </li> </ul> </li> <li class="navigationListItem"> <button class="navigationListItemLink hasSubNav"> <span class="icon"> <svg focusable="false" class="arrow-mobile"> <use href="/static/images/svg.svg#svg-arrow"></use> </svg> </span> <span class="icon"> <svg focusable="false" class="arrow-desktop"> <use href="/static/images/svg.svg#svg-chevron"></use> </svg> </span> <span class="text"> Training </span> </button> <ul class="navigationList level3"> <li class="navigationListItem back"> <button type="button" class="navigationListItemLink"> <span class="icon"> <svg focusable="false"> <use href="/static/images/svg.svg#svg-arrow"></use> </svg> </span> <span class="text"> Back </span> </button> </li> <li class="navigationListItem parentLink"> <p class="navigationListItemLink"> <span class="text">Training</span> </p> </li> <li class="navigationListItem"> <button class="navigationListItemLink hasSubNav"> <span class="icon"> <svg focusable="false" class="arrow-mobile"> <use href="/static/images/svg.svg#svg-arrow"></use> </svg> </span> <span class="icon"> <svg focusable="false" class="arrow-desktop"> <use href="/static/images/svg.svg#svg-chevron"></use> </svg> </span> <span class="text"> All Training Courses </span> </button> <ul class="navigationList level4"> <li class="navigationListItem back"> <button type="button" class="navigationListItemLink"> <span class="icon"> <svg focusable="false"> <use href="/static/images/svg.svg#svg-arrow"></use> </svg> </span> <span class="text"> Back </span> </button> </li> <li class="navigationListItem parentLink"> <a class="navigationListItemLink" href="/en/training/overview/" target="_self"> <span class="text">All Training Courses</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/training/quality-environmental-health-and-safety/" target="_self"> <span class="text">Quality, Environment, Health and Safety Training</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/training/food-beverage-hospitality/" target="_self"> <span class="text">Food, Beverage and Hospitality Training</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/training/medical-devices/" target="_self"> <span class="text">Medical Devices Training</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/training/infosecurity-cyber/" target="_self"> <span class="text">Cybersecurity and Information Security Training</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/training/climate-change-sustainability/" target="_self"> <span class="text">Climate Change and Sustainability Training</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/training/automotive-aerospace/" target="_self"> <span class="text">Automotive, Aerospace and Transport Training</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/training/manufacturing/" target="_self"> <span class="text">Manufacturing Codes and Standards Training</span> </a> </li> </ul> </li> <li class="navigationListItem"> <button class="navigationListItemLink hasSubNav"> <span class="icon"> <svg focusable="false" class="arrow-mobile"> <use href="/static/images/svg.svg#svg-arrow"></use> </svg> </span> <span class="icon"> <svg focusable="false" class="arrow-desktop"> <use href="/static/images/svg.svg#svg-chevron"></use> </svg> </span> <span class="text"> Online Training </span> </button> <ul class="navigationList level4"> <li class="navigationListItem back"> <button type="button" class="navigationListItemLink"> <span class="icon"> <svg focusable="false"> <use href="/static/images/svg.svg#svg-arrow"></use> </svg> </span> <span class="text"> Back </span> </button> </li> <li class="navigationListItem parentLink"> <a class="navigationListItemLink" href="/en/training/virtual-classroom-online-courses/" target="_self"> <span class="text">Online Training</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/training/virtual-classroom-courses/" target="_self"> <span class="text">Virtual Classroom Courses</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/training/elearning-courses/" target="_self"> <span class="text">eLearning</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/training/blended/" target="_self"> <span class="text">Blended Training</span> </a> </li> </ul> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/training-academy/" target="_self"> <span class="text">LRQA Training Academy</span> </a> </li> <li class="navigationListItem"> </li> <li class="navigationListItem"> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/management-system-solutions/" target="_self"> <span class="text">Management System Solutions</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="https://training-portal.lrqa.com/lmt/clmsbrowsev2.prmain?site=lrqaext&amp;in_lang=en&amp;in_region=gl" target="_blank"> <span class="text">Training Portal</span> </a> </li> </ul> </li> <li class="navigationListItem"> <button class="navigationListItemLink hasSubNav"> <span class="icon"> <svg focusable="false" class="arrow-mobile"> <use href="/static/images/svg.svg#svg-arrow"></use> </svg> </span> <span class="icon"> <svg focusable="false" class="arrow-desktop"> <use href="/static/images/svg.svg#svg-chevron"></use> </svg> </span> <span class="text"> Advisory Services </span> </button> <ul class="navigationList level3"> <li class="navigationListItem back"> <button type="button" class="navigationListItemLink"> <span class="icon"> <svg focusable="false"> <use href="/static/images/svg.svg#svg-arrow"></use> </svg> </span> <span class="text"> Back </span> </button> </li> <li class="navigationListItem parentLink"> <a class="navigationListItemLink" href="/en/advisory-services/" target="_self"> <span class="text">Advisory Services</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/esg-advisory/" target="_self"> <span class="text">ESG Advisory</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/csddd/" target="_self"> <span class="text">CSDDD</span> </a> </li> <li class="navigationListItem"> <button class="navigationListItemLink hasSubNav"> <span class="icon"> <svg focusable="false" class="arrow-mobile"> <use href="/static/images/svg.svg#svg-arrow"></use> </svg> </span> <span class="icon"> <svg focusable="false" class="arrow-desktop"> <use href="/static/images/svg.svg#svg-chevron"></use> </svg> </span> <span class="text"> Diagnostics </span> </button> <ul class="navigationList level4"> <li class="navigationListItem back"> <button type="button" class="navigationListItemLink"> <span class="icon"> <svg focusable="false"> <use href="/static/images/svg.svg#svg-arrow"></use> </svg> </span> <span class="text"> Back </span> </button> </li> <li class="navigationListItem parentLink"> <a class="navigationListItemLink" href="/en/diagnostics/" target="_self"> <span class="text">Diagnostics</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/responsible-sourcing-in-supply-chains/" target="_self"> <span class="text">Responsible Sourcing</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/human-rights-impact-assessment/" target="_self"> <span class="text">Human Rights Impact Assessment (HRIA)</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/net-zero-climate-risk-service/" target="_self"> <span class="text">Net Zero</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/double-materiality-assessment/" target="_self"> <span class="text">Double Materiality</span> </a> </li> </ul> </li> <li class="navigationListItem"> <button class="navigationListItemLink hasSubNav"> <span class="icon"> <svg focusable="false" class="arrow-mobile"> <use href="/static/images/svg.svg#svg-arrow"></use> </svg> </span> <span class="icon"> <svg focusable="false" class="arrow-desktop"> <use href="/static/images/svg.svg#svg-chevron"></use> </svg> </span> <span class="text"> Strategy and Design </span> </button> <ul class="navigationList level4"> <li class="navigationListItem back"> <button type="button" class="navigationListItemLink"> <span class="icon"> <svg focusable="false"> <use href="/static/images/svg.svg#svg-arrow"></use> </svg> </span> <span class="text"> Back </span> </button> </li> <li class="navigationListItem parentLink"> <a class="navigationListItemLink" href="/en/strategy-and-design/" target="_self"> <span class="text">Strategy and Design</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/supply-chain-risk-assessment-segmentation-service/" target="_self"> <span class="text">Supply Chain Risk Assessment and Segmentation</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/corporate-decarbonisation-strategy/" target="_self"> <span class="text">Carbon Footprint and Decarbonisation Strategy</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/safety-culture-ladder/" target="_self"> <span class="text">Safety Culture Ladder</span> </a> </li> </ul> </li> <li class="navigationListItem"> <button class="navigationListItemLink hasSubNav"> <span class="icon"> <svg focusable="false" class="arrow-mobile"> <use href="/static/images/svg.svg#svg-arrow"></use> </svg> </span> <span class="icon"> <svg focusable="false" class="arrow-desktop"> <use href="/static/images/svg.svg#svg-chevron"></use> </svg> </span> <span class="text"> Implementation </span> </button> <ul class="navigationList level4"> <li class="navigationListItem back"> <button type="button" class="navigationListItemLink"> <span class="icon"> <svg focusable="false"> <use href="/static/images/svg.svg#svg-arrow"></use> </svg> </span> <span class="text"> Back </span> </button> </li> <li class="navigationListItem parentLink"> <a class="navigationListItemLink" href="/en/implementation/" target="_self"> <span class="text">Implementation</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/grievance-mechanism/" target="_self"> <span class="text">Grievance Mechanism</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/ghg-inventory-service/" target="_self"> <span class="text">GHG Inventory</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/waste-and-emissions-supply-chain-engagement/" target="_self"> <span class="text">Waste and Emissions Supply Chain Engagement</span> </a> </li> </ul> </li> <li class="navigationListItem"> <button class="navigationListItemLink hasSubNav"> <span class="icon"> <svg focusable="false" class="arrow-mobile"> <use href="/static/images/svg.svg#svg-arrow"></use> </svg> </span> <span class="icon"> <svg focusable="false" class="arrow-desktop"> <use href="/static/images/svg.svg#svg-chevron"></use> </svg> </span> <span class="text"> Reporting and Disclosure </span> </button> <ul class="navigationList level4"> <li class="navigationListItem back"> <button type="button" class="navigationListItemLink"> <span class="icon"> <svg focusable="false"> <use href="/static/images/svg.svg#svg-arrow"></use> </svg> </span> <span class="text"> Back </span> </button> </li> <li class="navigationListItem parentLink"> <a class="navigationListItemLink" href="/en/reporting-and-disclosure/" target="_self"> <span class="text">Reporting and Disclosure</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/climate-disclosure-service/" target="_self"> <span class="text">Climate Disclosure</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/sustainability-disclosure/" target="_self"> <span class="text">Sustainability Disclosure</span> </a> </li> </ul> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/programme-management/" target="_self"> <span class="text">Programme Management</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/technical-advisory-services/" target="_self"> <span class="text">Technical Advisory</span> </a> </li> <li class="navigationListItem"> <button class="navigationListItemLink hasSubNav"> <span class="icon"> <svg focusable="false" class="arrow-mobile"> <use href="/static/images/svg.svg#svg-arrow"></use> </svg> </span> <span class="icon"> <svg focusable="false" class="arrow-desktop"> <use href="/static/images/svg.svg#svg-chevron"></use> </svg> </span> <span class="text"> Training </span> </button> <ul class="navigationList level4"> <li class="navigationListItem back"> <button type="button" class="navigationListItemLink"> <span class="icon"> <svg focusable="false"> <use href="/static/images/svg.svg#svg-arrow"></use> </svg> </span> <span class="text"> Back </span> </button> </li> <li class="navigationListItem parentLink"> <p class="navigationListItemLink"> <span class="text">Training</span> </p> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/training/overview/" target="_self"> <span class="text">All Training Courses</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/training/virtual-classroom-online-courses/" target="_self"> <span class="text">Online Training</span> </a> </li> <li class="navigationListItem"> </li> <li class="navigationListItem"> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/management-system-solutions/" target="_self"> <span class="text">Management System Solutions</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="https://training-portal.lrqa.com/lmt/clmsbrowsev2.prmain?site=lrqaext&amp;in_lang=en&amp;in_region=gl" target="_blank"> <span class="text">Training Portal</span> </a> </li> </ul> </li> </ul> </li> <li class="navigationListItem"> <button class="navigationListItemLink hasSubNav"> <span class="icon"> <svg focusable="false" class="arrow-mobile"> <use href="/static/images/svg.svg#svg-arrow"></use> </svg> </span> <span class="icon"> <svg focusable="false" class="arrow-desktop"> <use href="/static/images/svg.svg#svg-chevron"></use> </svg> </span> <span class="text"> Data and Analytics </span> </button> <ul class="navigationList level3"> <li class="navigationListItem back"> <button type="button" class="navigationListItemLink"> <span class="icon"> <svg focusable="false"> <use href="/static/images/svg.svg#svg-arrow"></use> </svg> </span> <span class="text"> Back </span> </button> </li> <li class="navigationListItem parentLink"> <p class="navigationListItemLink"> <span class="text">Data and Analytics</span> </p> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="https://www.eiq.ai/" target="_blank"> <span class="text">LRQA&#x27;s EiQ Platform</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/eiq-lite/" target="_self"> <span class="text">EiQ Lite</span> </a> </li> </ul> </li> <li class="navigationListItem extraLinkText"> <a class="navigationListItemLink" href="/en/contact-us/"> <span class="text">Can&#x27;t find the service you need?</span> </a> </li> </ul> </li> <li class="navigationListItem"> <button class="navigationListItemLink hasSubNav"> <span class="icon"> <svg focusable="false" class="arrow-mobile"> <use href="/static/images/svg.svg#svg-arrow"></use> </svg> </span> <span class="icon"> <svg focusable="false" class="arrow-desktop"> <use href="/static/images/svg.svg#svg-chevron"></use> </svg> </span> <span class="text"> News and Insights </span> </button> <ul class="navigationList level2"> <li class="navigationListItem back"> <button type="button" class="navigationListItemLink"> <span class="icon"> <svg focusable="false"> <use href="/static/images/svg.svg#svg-arrow"></use> </svg> </span> <span class="text"> Back </span> </button> </li> <li class="navigationListItem parentLink"> <p class="navigationListItemLink"> <span class="text">News and Insights</span> </p> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/latest-news/" target="_self"> <span class="text">Latest News</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/insights/articles/" target="_self"> <span class="text">Thought Leadership Articles</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/cyber-labs/" target="_self"> <span class="text">Cyber Labs</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/case-studies/" target="_self"> <span class="text">Case Studies</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/podcasts/" target="_self"> <span class="text">Podcasts</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/resources/" target="_self"> <span class="text">Downloadable Resources</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/supply-chain-due-diligence-legislation-map/" target="_self"> <span class="text">Legislation Map</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/resources/client-information-note/" target="_self"> <span class="text">Client Information Notes (CINs)</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/who-we-are/our-management-systems-accreditations/" target="_self"> <span class="text">Accreditations</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/who-we-are/awards-and-recognition/" target="_self"> <span class="text">Awards and Recognition</span> </a> </li> </ul> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/events/" target="_self"> <span class="text">Events and Webinars</span> </a> </li> <li class="navigationListItem"> <button class="navigationListItemLink hasSubNav"> <span class="icon"> <svg focusable="false" class="arrow-mobile"> <use href="/static/images/svg.svg#svg-arrow"></use> </svg> </span> <span class="icon"> <svg focusable="false" class="arrow-desktop"> <use href="/static/images/svg.svg#svg-chevron"></use> </svg> </span> <span class="text"> Careers </span> </button> <ul class="navigationList level2"> <li class="navigationListItem back"> <button type="button" class="navigationListItemLink"> <span class="icon"> <svg focusable="false"> <use href="/static/images/svg.svg#svg-arrow"></use> </svg> </span> <span class="text"> Back </span> </button> </li> <li class="navigationListItem parentLink"> <a class="navigationListItemLink" href="/en/careers/" target="_self"> <span class="text">Careers</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/why-lrqa/" target="_self"> <span class="text">What it&#x27;s like to work here</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/career-faqs/" target="_self"> <span class="text">From application to onboarding</span> </a> </li> <li class="navigationListItem"> <button class="navigationListItemLink hasSubNav"> <span class="icon"> <svg focusable="false" class="arrow-mobile"> <use href="/static/images/svg.svg#svg-arrow"></use> </svg> </span> <span class="icon"> <svg focusable="false" class="arrow-desktop"> <use href="/static/images/svg.svg#svg-chevron"></use> </svg> </span> <span class="text"> Talent Community </span> </button> <ul class="navigationList level3"> <li class="navigationListItem back"> <button type="button" class="navigationListItemLink"> <span class="icon"> <svg focusable="false"> <use href="/static/images/svg.svg#svg-arrow"></use> </svg> </span> <span class="text"> Back </span> </button> </li> <li class="navigationListItem parentLink"> <a class="navigationListItemLink" href="/en/opportunities/" target="_self"> <span class="text">Talent Community</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/opportunities/assessment-roles/" target="_self"> <span class="text">Assessment roles</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/opportunities/inspection-service-roles/" target="_self"> <span class="text">Inspection Service roles</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/opportunities/cybersecurity-roles/" target="_self"> <span class="text">Cybersecurity roles</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/opportunities/advisory-and-esg-roles/" target="_self"> <span class="text">Advisory and ESG roles</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/opportunities/sales-roles/" target="_self"> <span class="text">Sales and Business Development roles</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/opportunities/contractor-roles/" target="_self"> <span class="text">Contractor roles</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="/en/opportunities/corporate-function-roles/" target="_self"> <span class="text">Corporate Function roles</span> </a> </li> </ul> </li> <li class="navigationListItem"> <button class="navigationListItemLink hasSubNav"> <span class="icon"> <svg focusable="false" class="arrow-mobile"> <use href="/static/images/svg.svg#svg-arrow"></use> </svg> </span> <span class="icon"> <svg focusable="false" class="arrow-desktop"> <use href="/static/images/svg.svg#svg-chevron"></use> </svg> </span> <span class="text"> Apply now </span> </button> <ul class="navigationList level3"> <li class="navigationListItem back"> <button type="button" class="navigationListItemLink"> <span class="icon"> <svg focusable="false"> <use href="/static/images/svg.svg#svg-arrow"></use> </svg> </span> <span class="text"> Back </span> </button> </li> <li class="navigationListItem parentLink"> <p class="navigationListItemLink"> <span class="text">Apply now</span> </p> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="https://elevatelimited.bamboohr.com/careers" target="_self"> <span class="text">Advisory and ESG roles</span> </a> </li> <li class="navigationListItem"> <a class="navigationListItemLink" href="https://jobs.lrqa.com/" target="_self"> <span class="text">All other roles</span> </a> </li> </ul> </li> </ul> </li> <li class="navigationListItem extraLink "> <a href="/en/who-we-are/" class="extraLinkText"> <span class="text"> About us </span> </a> </li> <li class="navigationListItem extraLink "> <a href="/en/client-portal/" class="extraLinkText"> <span class="text"> Client login </span> </a> </li> <li class="navigationListItem extraLink "> <a href="/en/emergency-incident-response-services/" class="extraLinkText"> <span class="text"> &#x26A0;&#xFE0F; Report a Cyber Incident </span> </a> </li> </ul> </nav> </div> <div class="pageHeaderButtonWrap pageHeaderSearchButton"> <div class="pageHeaderButton search"> <button type="button"> <span class="text"> Search </span> <span class="icon"> <svg focusable="false"> <use href="/static/images/svg.svg#svg-search"></use> </svg> </span> <span class="icon"> <svg focusable="false"> <title>Close</title> <use href="/static/images/svg.svg#svg-close"></use> </svg> </span> </button> </div> </div> <div class="pageHeaderSearch" inert=""> <div class="searchWrap"> <form action="/en/search/" method="get" class="searchForm"> <input type="search" name="q" placeholder="Find what you&#x27;re looking for" autocomplete="on" id="q" class="searchFormInput"> <label for="headerSearchInput" class="searchFormLabel">Search form</label> <button type="submit" class="searchFormSubmit cta"> <span class="icon"> <svg focusable="false"> <title>Search open</title> <use href="/static/images/svg.svg#svg-search"></use> </svg> </span> <span class="text">Search</span> </button> </form> </div> <figure class="quickLinks"> <figcaption class="quickLinksTitle">Are you looking for?</figcaption> <div class="swipeNav col-12"> <div class="swipeNavWrap"> <ul class="swipeNavList"> <li class="swipeNavListItem"> <a href="/en/events/" class="swipeNavLink cta ctaTertiary"> <span class="text"> Events </span> </a> </li> <li class="swipeNavListItem"> <a href="/en/latest-news/" class="swipeNavLink cta ctaTertiary"> <span class="text"> News </span> </a> </li> <li class="swipeNavListItem"> <a href="/en/case-studies/" class="swipeNavLink cta ctaTertiary"> <span class="text"> Case studies </span> </a> </li> <li class="swipeNavListItem"> <a href="/en/resources/" class="swipeNavLink cta ctaTertiary"> <span class="text"> Resource library </span> </a> </li> <li class="swipeNavListItem"> <a href="/en/client-portal/" class="swipeNavLink cta ctaTertiary"> <span class="text"> Client Portal </span> </a> </li> <li class="swipeNavListItem"> <a href="/en/resources/client-information-note/" class="swipeNavLink cta ctaTertiary"> <span class="text"> Client Information Notes </span> </a> </li> </ul> </div> </div> </figure> </div> </div> </header> <nav class="breadcrumbs"> <p class="offscreen" id="breadcrumblabel">You are here:</p> <ol class="breadcrumbsList" aria-labelledby="breadcrumblabel"> <li class="breadcrumbsItem"> <a class="breadcrumbsLink" href="/en/"> <span class="breadcrumbsLinkText"> Home </span> <span class="icon breadcrumbsIconSvg"> <svg focusable="false" class=" breadcrumbsIconSvg"> <use href="/static/images/svg.svg#svg-chevron"></use> </svg> </span> </a> </li> <li class="breadcrumbsItem"> <a class="breadcrumbsLink" href="/en/insights/"> <span class="breadcrumbsLinkText"> Insights </span> <span class="icon breadcrumbsIconSvg"> <svg focusable="false" class=" breadcrumbsIconSvg"> <use href="/static/images/svg.svg#svg-chevron"></use> </svg> </span> </a> </li> <li class="breadcrumbsItem"> <a class="breadcrumbsLink" href="/en/insights/articles/"> <span class="breadcrumbsLinkText"> Articles </span> <span class="breadcrumbsLinkText breadcrumbsLinkTextPrevious"> Back to previous page </span> <span class="icon breadcrumbsIconSvg"> <svg focusable="false" class=" breadcrumbsIconSvg"> <use href="/static/images/svg.svg#svg-chevron"></use> </svg> </span> </a> </li> <li class="breadcrumbsItem"> <strong class="breadcrumbsLinkText breadcrumbsCurrent"> Cloud penetration testing - an essential guide </strong> </li> </ol> </nav> <img src="/static/assets/search-grey.svg" loading="eager" style="display:none;" /> <main id="content" tabindex="-1"> <section class="grid headerContentArea" > <div class="hero heroVariant2 heroAlignCentre canvas canvasNavy col-12" id="Article&#x2B;Hero"> <div class="titleBlock"> <h1 class="heroTitle" > Cloud penetration testing - an essential guide </h1> </div> </div> </section> <section class="grid stickyContentArea" > </section> <article class="twoColumn canvas "> <aside class="grid oneThird" > <div class="textBlock col-12 spacingSmall canvas canvasNavy" id="Global&#x2B;-&#x2B;Cyber&#x2B;newsletter&#x2B;sign&#x2B;up"> <div class="wysiwyg" > <h3><img style="display: block; margin-left: auto; margin-right: auto;" src="/globalassets/icons/png-icons/LRQA-EiQ-Icon-Advisory-Newsletter.png?epslanguage=en" alt="" width="85" height="57" /></h3> <h3 style="text-align: center;"><strong>Subscribe</strong> to our newsletter</h3> <p style="text-align: center;">Stay ahead with the latest news and insights that matter to your business.</p> <p style="text-align: center;"><a href="/en/sign-up-newsletters/?epslanguage=en" title="Sign up" class="cta">Sign up</a></p> </div></div> </aside> <section class="grid twoThird" > <div class="textBlock col-12" id="Body"> <div class="wysiwyg" > <h4 style="text-align: justify;"><span>An Introduction to Cloud Services</span></h4> <p style="text-align: justify;"><span>Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) are the current leaders in Cloud Computing, and offer hundreds of services between them. The continuous expansion of features, inherent flexibility, and broad access offered by Cloud Computing are compelling reasons for its adoption, and organisations of all sizes are looking to migrate their workloads.</span></p> <p style="text-align: justify;"><a href="/en/information-security-management/?epslanguage=en" title="Cloud services">Cloud Services</a> are essentially hosted resources that Cloud providers deliver to their consumers as software. Resources can be categorized as belonging to a Cloud Service model, with the most commonly adopted service models being IaaS, PaaS, and SaaS.</p> <ul style="text-align: justify;"> <li><span>Infrastructure as a Service (IaaS) such as Compute and Storage services.</span></li> </ul> <ul style="text-align: justify;"> <li><span>Platform as a Service (PaaS) such as AWS Elastic Beanstalk, Azure App Service, and Google App Engine.</span></li> </ul> <ul style="text-align: justify;"> <li><span>Software as a Service (SaaS) such as Salesforce, Office 365, and G Suite.</span></li> </ul> <p style="text-align: justify;"><span>In regards to security, Cloud Service providers have adopted a shared responsibility model which is intended to define an organisation's responsibility for securing the Cloud Service models they adopt.</span></p> <p style="text-align: justify;"><span>In simplified terms, the lower down the technology stack a Cloud service resides, the more responsibility for security and management controls are transferred from the provider to the organisation. An organisation's awareness and understanding of this shared responsibility as it relates to their cloud deployment model is critical, and may prevent introducing unnecessary risk.</span></p> <p style="text-align: justify;"><span>As organisations internal Cloud capabilities mature, many will increasingly adopt so-called Cloud-native practices and supporting services. This further complicates the understanding of the shared responsibility model, and may require adjustments to an organisations Cloud security strategy.</span></p> <p style="text-align: justify;"><span>In particular, the following cloud native services are being adopted with increasing frequency by organisations of all sizes, and with them, new attack surface and security challenges.</span></p> <ul style="text-align: justify;"> <li><span>Function as a Service (FaaS): such as AWS Lambda, Azure Functions, and Google&rsquo;s Cloud Functions.</span></li> </ul> <ul style="text-align: justify;"> <li><span>Containers as a Service (CaaS): such as EC2 Container Service, Azure Container Service, and Google Kubernetes Engine.</span></li> </ul> <p style="text-align: justify;"><span>The use of Cloud functions to create serverless architecture enables organisations to develop, execute, and manage application functionality while removing the complexity and management overhead associated with designing, building and maintaining the underlying infrastructure.</span></p> <p style="text-align: justify;"><span>Container-based services provide a more granular and flexible implementation of traditional virtualization. Containers are orchestrated, deployed as microservices and then dynamically managed on elastic infrastructure. This supports agile processes such as DevOps.</span></p> <p style="text-align: justify;"><span>While there are significant security benefits associated with Cloud Computing, organisations migrating their workloads to the Cloud should be aware that the visibility and control they are accustomed to in traditional infrastructure environments will change, sometimes significantly.</span></p> <h4 style="text-align: justify;"><span>Security Assurance in the Cloud</span></h4> <p style="text-align: justify;"><span>So what does all of this mean for organisations trying to implement an effective security strategy in the Cloud?</span></p> <p style="text-align: justify;"><span>Cloud Service providers integrate security controls into their Cloud Service offerings, and then expose those controls to organisations consuming the service as part of the shared responsibility model. Typically, the Cloud Service model to which workloads are deployed will affect the type of security controls made available to organisations.</span></p> <p style="text-align: justify;"><span>Security conscious organisations should seek to gain technical assurance that the appropriate controls are exposed to them by the Cloud provider, and moreover, configured in a way that prevents them being bypassed or manipulated. As part of the wider Cloud security strategy,&nbsp;Cloud Penetration Testing&nbsp;should be performed to&nbsp;<strong>validate</strong>&nbsp;that the available controls are enabled, and configured effectively. This is typically a combination of activities split between passive enumeration of architecture, service configuration and vulnerabilities, and active exploitation of any identified attack paths.</span></p> <p style="text-align: justify;"><span>As with more traditional on-premise Penetration Testing, discovery, intelligence gathering, threat modelling, initial compromise, lateral movement, privilege escalation, and persistence are all still considered relevant. However, the technical methods to perform them will, in some cases, significantly change.</span></p> <h4 style="text-align: justify;"><span>Is Penetration Testing Permitted by Amazon, Microsoft, and Google?</span></h4> <p style="text-align: justify;"><span>The simple answer is yes, with caveats. Cloud Service providers have policies related to Penetration Testing by organisations of their own services hosted in the Cloud. The scope of Penetration Testing may vary slightly between providers, however, as a general rule of thumb, the underlying infrastructure for which the Cloud providers are responsible will<strong>&nbsp;always be considered out of scope</strong>.</span></p> <p style="text-align: justify;"><span>The underlying infrastructure will be determined by the shared responsibility model as previously discussed. If an organisation is unsure where responsibility for security lies relative to a specific Cloud Service, they can consult the Cloud provider for clarification or obtain detailed guidance from both the Cloud Controls Matrix (CCM), and Consensus Assessment Initiative Questionnaire (CAIQ) provided by the Cloud Security Alliance (CSA), an organisation to which Amazon, Microsoft, and Google all subscribe.</span></p> <p style="text-align: justify;"><span>While it may be good practice to notify Amazon, Microsoft, or Google before commencing any Penetration Testing activities against one of their tenants, it is not a requirement. However, note that other third-party PaaS and SaaS application providers which may be integrated into AWS, Azure, or GCP may have different requirements.</span></p> <h4 style="text-align: justify;"><span>The Objectives of Penetration Testing in the Cloud</span></h4> <p style="text-align: justify;"><span>The objective of Cloud Penetration Testing is comparable to traditional infrastructure, in that it attempts to verify the security posture of the target environment. However, the scope and approach to testing must reflect significant differences in the way Cloud Computing is managed.</span></p> <p style="text-align: justify;"><span>It is recommended that Cloud Penetration Testing is focused on scenario-based objectives, with clearly defined goals. The overall approach should seek to simulate the practical Cloud attack strategies and techniques executed by sophisticated adversaries.</span></p> <h4 style="text-align: justify;">Passive Enumeration of Cloud Services</h4> <p style="text-align: justify;"><span>Preparation for the active phase of Cloud Penetration Testing must be supported by broad passive enumeration that effectively identifies the exposed attack surface. Architectural design review, and threat modelling combined with a comprehensive review of the configuration of Cloud security controls is the recommended approach. While identifying insecure configuration is fundamental to performing Cloud Penetration Testing, it should not be the sole objective.</span></p> <p style="text-align: justify;"><span>Passive enumeration of the target Cloud environment is typically performed using a custom service account provided by the organisation. The service account is used to authenticate scripts and tools that automate the gathering of configuration telemetry. While tools and scripts often include checks against Center for Internet Security (CIS) Benchmark best practices, output is manually reviewed and contextualized to identify potential attack paths.</span></p> <p style="text-align: justify;"><span>In summary, passive enumeration of Cloud Services will look to identify weaknesses in the following technical control domains, which can then be targeted for active exploitation.&nbsp;</span></p> <h4 style="text-align: justify;">Exploiting Common Cloud Attack Vectors</h4> <p style="text-align: justify;"><span>Cloud Penetration Testing will use specific tactics, techniques, and procedures (TTPs) in order to compromise, escalate privileges, and create persistence in Cloud environments. These TTPs can be leveraged to exploit weak configuration identified within the target environment.</span></p> <h4 style="text-align: justify;">Exploiting Publicly Exposed Services</h4> <p style="text-align: justify;"><span>Exposed secrets such as access keys and tokens could lead to a full-scale breach of an organisation's Cloud environment. Publicly accessible buckets pose a risk not only from adversaries targeting the organisation but also opportunistic attacks where public buckets may have been listed in publicly available repositories or indexed by search engines.</span></p> <p style="text-align: justify;"><span>Once an adversary has possession of a secret, they can simply authenticate to the organisation's environment using the Cloud SDK (Command Line Interface). The level of access will be determined by the IAM roles and permissions assigned to the compromised secret.</span></p> <p style="text-align: justify;"><span>Secrets are often unintentionally leaked or exposed in a number of ways including hidden directories, source code or version repositories, packaging repositories, and web application debugging and logging messages.</span></p> <p style="text-align: justify;"><span>Furthermore, secrets can be obtained through exploitation of web application vulnerabilities such as Server Side Request Forgery (SSRF), XML External Entity (XXE), and Local File Inclusion (LFI) to name just a few.</span></p> <h4 style="text-align: justify;">Cloud User Credentials Compromise</h4> <p style="text-align: justify;"><span>Organisations must assume that attackers&nbsp;<strong>will</strong>&nbsp;target their end users in order to obtain Cloud credentials. There are a multitude of attack techniques for compromising Cloud accounts:</span></p> <ul style="text-align: justify;"> <li><span>Credential Stuffing</span></li> <li><span>Password Spraying</span></li> <li><span>Phishing</span></li> </ul> <p style="text-align: justify;"><span>Attacks against Cloud users are leveraging increasingly large credential dumps to improve the effectiveness of brute force account compromises. Such attacks often target Office 365 and G Suite accounts using tools that automate credential harvesting with password spraying attacks.</span></p> <p style="text-align: justify;"><span>The scope of Cloud Penetration Testing should include a security review of the organisations on premise corporate systems. Compromise of a corporate workstation or laptop which are owned by privileged users such as developers or administrators is likely to provide a number of avenues for compromising Cloud user credentials, or service account keys and tokens.</span></p> <h4 style="text-align: justify;">Leveraging Permissive IAM Roles and Permissions</h4> <p style="text-align: justify;"><span>Many organisations fail to implement the principle of least privilege, leading to overly permissive policies which adversaries and malicious insiders can leverage to perform dangerous actions. Such actions may include viewing and exfiltration sensitive data, modifying or deleting data, start, stop and delete Cloud functions and services, deploy resources, and perform privilege escalation.</span></p> <p style="text-align: justify;"><span>IAM roles and permissions affect almost all aspects of Cloud Computing and the attack surface exposed by overly permissive IAM assignments can be significant. Some examples of how a malicious user could leverage overly permissive IAM roles and permissions include:</span></p> <ul style="text-align: justify;"> <li><span>Enumerate access to Cloud Services for the current IAM role</span></li> <li><span>Create new Cloud users</span></li> <li><span>Extract credentials from meta&shy;data, configuration files, environment variables, and logs</span></li> <li><span>Clone databases and instances to access information stored in snapshots</span></li> </ul> <p style="text-align: justify;"><span>While effective deployment of IAM roles and permissions may not prevent all attacks against Cloud resources and assets, they are an effective tool for limiting the blast radius (impact) of any such compromise.</span></p> <h4 style="text-align: justify;">Abusing Cloud Functions and Serverless Architecture</h4> <p style="text-align: justify;"><span>Serverless application architectures offer a number of security benefits, however, threats to applications could still persist. Microservices break applications up into smaller components that can be triggered from a diverse range of sources, including message queues, storage services, databases, and even other functions. This creates more targets, thereby increasing the overall attack surface of the environment.</span></p> <ul style="text-align: justify;"> <li><span>Cryptomining</span></li> <li><span>Execution of malicious Cloud functions</span></li> <li><span>Instance compromise via insecure error handling</span></li> </ul> <p style="text-align: justify;"><span>It should be noted that Cloud functions<strong>&nbsp;don&rsquo;t need to be insecure</strong>&nbsp;for attackers to abuse them. One of the more recent tactics used to exploit functions, is a spin off from the Denial of Service (DoS) attack, known as a Denial of Wallet attack. Rather than attempt to deny access to a service, the repeated triggering of a Cloud function takes advantage of Cloud auto scaling features to impact an organisation financially.</span></p> <h4 style="text-align: justify;">Exploiting Container Services</h4> <p style="text-align: justify;"><span>Much like serverless application architectures, the adoption of container technologies such as Docker and Kubernetes introduce a significant attack surface that organisations should be aware of. While the benefits of containerization technologies are numerous and well documented, just like other Cloud Services, they can be vulnerable to a broad range of attacks.</span></p> <p style="text-align: justify;"><span>Attacks against container services can be initiated both externally by unauthenticated remote adversaries, and by malicious insiders, including via compromised Cloud user accounts. Some example of attack vectors includes:</span></p> <ul style="text-align: justify;"> <li><span>Insecurely configured container registries</span></li> <li><span>Namespace breakout vulnerabilities</span></li> <li><span>Use of vulnerable container images</span></li> <li><span>Exposed service ports</span></li> <li><span>Lack of Role-Based Access Controls (RBAC)</span></li> </ul> <p style="text-align: justify;"><span>When implementing container services, organisations must ensure the security posture of individual containers within the cluster. Exploitation of a single container could lead to a complete compromise of the cluster and other Cloud Services.</span></p> <h4 style="text-align: justify;">Cloud Penetration Testing Summary</h4> <p style="text-align: justify;"><span>Organisations are increasingly migrating critical workloads and data to the Cloud. Such environments can be highly complex and expose attack surfaces in ways that are fundamentally different from traditional workloads.</span></p> <p style="text-align: justify;"><span>Cloud Penetration Testing should be an essential component of an organisation's overall Coud Security strategy. Testing should include comprehensive enumeration of an organisation's attack surface, identification of configuration weaknesses and vulnerabilities, threat modelling, and goal-orientated exploitation activities.</span></p> <p style="text-align: justify;">For more information on<span>&nbsp;</span>Cloud Penetration Testing Services, please<span>&nbsp;</span><a href="/en/contact-us/?epslanguage=en" title="Contact">contact</a> the LRQA team.&nbsp;</p> </div></div> </section> </article> <section class="grid bottomContent" > </section> </main> <footer class="footer canvas canvasNavy"> <div class="footerLogo"> <img decoding="auto" fetchpriority="auto" class="" src="/cdn-cgi/image/width=120,format=auto/globalassets/logos/lrqa-white-logo---dark-background-cropped.png" srcset="/cdn-cgi/image/width=120,format=auto/globalassets/logos/lrqa-white-logo---dark-background-cropped.png 120w,/cdn-cgi/image/width=150,format=auto/globalassets/logos/lrqa-white-logo---dark-background-cropped.png 150w,/cdn-cgi/image/width=240,format=auto/globalassets/logos/lrqa-white-logo---dark-background-cropped.png 240w,/cdn-cgi/image/width=300,format=auto/globalassets/logos/lrqa-white-logo---dark-background-cropped.png 300w,/cdn-cgi/image/width=360,format=auto/globalassets/logos/lrqa-white-logo---dark-background-cropped.png 360w,/cdn-cgi/image/width=450,format=auto/globalassets/logos/lrqa-white-logo---dark-background-cropped.png 450w" sizes="(min-width: 1280px) 150px, 120px" alt="" loading="lazy" width="500" height="174" /> <ul class="socialList"> <li class="socialListItem"> <a href="https://twitter.com/lrqa" class="socialListItemLink" rel="noopener" target="_blank"> <img decoding="auto" fetchpriority="auto" src="/cdn-cgi/image/width=20,format=auto/globalassets/_shared-images/twitter2.png" srcset="/cdn-cgi/image/width=20,format=auto/globalassets/_shared-images/twitter2.png 20w,/cdn-cgi/image/width=40,format=auto/globalassets/_shared-images/twitter2.png 40w,/cdn-cgi/image/width=60,format=auto/globalassets/_shared-images/twitter2.png 60w" sizes="20px" alt="" loading="lazy" class="" width="21" height="22" /> </a> </li> <li class="socialListItem"> <a href="https://www.linkedin.com/company/lrqa" class="socialListItemLink" rel="noopener"> <img decoding="auto" fetchpriority="auto" src="/cdn-cgi/image/width=20,format=auto/globalassets/_shared-images/linkedin-icon-1.png" srcset="/cdn-cgi/image/width=20,format=auto/globalassets/_shared-images/linkedin-icon-1.png 20w,/cdn-cgi/image/width=40,format=auto/globalassets/_shared-images/linkedin-icon-1.png 40w,/cdn-cgi/image/width=60,format=auto/globalassets/_shared-images/linkedin-icon-1.png 60w" sizes="20px" alt="LinkedIn icon in mint green" loading="lazy" class="" width="134" height="134" /> </a> </li> </ul> </div> <ul class="footerList"> <li class="footerListItem"> <a href="/en/who-we-are/" class="footerListItemLink">Who we are</a> </li> <li class="footerListItem"> <a href="/en/careers/" class="footerListItemLink">Careers</a> </li> <li class="footerListItem"> <a href="/en/resources/" class="footerListItemLink">Resources</a> </li> </ul> <div class="wysiwyg"> <p style="text-align: center;">LRQA and any variants are trading names of LRQA Group Limited, its subsidiaries and affiliates. LRQA Group Limited, registered number 1217474, is a limited company registered in England and Wales. Registered office: 1, Trinity Park, Bickenhill Lane, Birmingham B37 7ES. &copy; 2024 LRQA Group Limited.</p> </div> <ul class="footerList"> <li class="footerListItem"> <a href="/en/privacy-notice/" class="footerListItemLink supplemetaryLink">Privacy notice</a> </li> <li class="footerListItem"> <a href="/en/cookies-policy/" class="footerListItemLink supplemetaryLink">Cookie Policy</a> </li> <li class="footerListItem"> <a href="/en/terms-of-use/" class="footerListItemLink supplemetaryLink">Terms of use</a> </li> <li class="footerListItem"> <a href="/en/who-we-are/modern-slavery/" class="footerListItemLink supplemetaryLink">Modern Slavery Statement</a> </li> <li class="footerListItem"> <a href="/en/who-we-are/governance-policies/" class="footerListItemLink supplemetaryLink">Governance</a> </li> </ul> </footer> <script data-ot-ignore type="module" src="/static/js/lrqa/esm-app.js?v=2.4.2"></script> <script defer="defer" src="/Util/Find/epi-util/find.js"></script> <script> document.addEventListener('DOMContentLoaded',function(){if(typeof FindApi === 'function'){var api = new FindApi();api.setApplicationUrl('/');api.setServiceApiBaseUrl('/find_v2/');api.processEventFromCurrentUri();api.bindWindowEvents();api.bindAClickEvent();api.sendBufferedEvents();}}) </script> <script type="application/ld+json">{"@context":"https://schema.org","@type":"Article","name":"Cloud penetration testing - an essential guide","url":"https://www.lrqa.com/en/insights/articles/cloud-penetration-testing-an-essential-guide/","author":{"@type":"Person","url":"https://www.lrqa.com/"},"dateCreated":"2024-10-06","dateModified":"2024-10-29","datePublished":"2024-05-27","headline":"Cloud penetration testing - an essential guide","articleBody":"\u003Cdiv class=\u0022epi-contentfragment\u0022\u003EBody\u003C/div\u003E"}</script> </body> </html>