Penetration Testing Services
Aligned with ISO/IEC 27001:2022 and NIS2 Directive

Introduction

Home Affairs FPS invites qualified cybersecurity providers to submit proposals for the delivery of penetration testing services as part of our information security assurance program. The testing must comply with the principles and controls of ISO/IEC 27001:2022 and meet the technical risk management requirements of the NIS2 Directive for critical and important entities.

1.1 Objectives

• Identify vulnerabilities and misconfigurations at the network, system, and application levels.
• Simulate real-world attack scenarios, both internal and external.
• Provide assurance for regulatory compliance with ISO27001 and NIS2 Article 21.
• Generate actionable risk-based recommendations for remediation.
• Maintain service continuity while conducting tests in a non-disruptive manner.
• Enable continuous technical vulnerability management and improvement.

1.2 Scope of Work

The engagement consists of two parts:

External Infrastructure Penetration Testing:

• Public-facing systems (IP ranges, DNS, VPN, firewalls, portals)
• Black-box or grey-box testing to simulate real attackers

Internal Penetration Testing:

• Simulating actions of a malicious actor with physical or logical access
• Focus on in-depth, intrusive testing to identify and exploit weaknesses
• No disruption to production services

Semi-Automated Recurring Penetration Testing

• Monthly or quarterly scanning and light testing using semi-automated tools
• Prioritized reporting of high-risk issues
• Dashboard and report access for ongoing vulnerability management

1.3 Technical Evaluation Perimeter

• The production environment of the technical infrastructure, subject to prior risk analysis regarding data confidentiality, availability, and integrity
• Hardware and storage systems used for critical data or operations
• Additional perimeters will be defined mutually by both parties

Note: Full technical documentation (system diagrams, IPs, architecture, etc.) will be shared after proposal submission and NDA signing.

1.4 Planning and Phasing

The overall mission is expected to require approximately 55 man-days, subject to confirmation after detailed scoping.

To be carried out in close coordination with our internal teams across three phases in 2025 and first quarter of 2026:

• Initial perimeter scoping
• Execution of tests and delivery of findings
• Scheduling of follow-up testing based on earlier results and availability

1.5 Methodology of Test Execution

Internal Penetration Tests:

Simulate attacks from an insider or intruder with physical or logical access to the internal network.

Goal: Identify vulnerabilities across network, system, and application layers. The approach includes:

• Scanning for flaws in systems and services
• Development and execution of exploitation scenarios
• Non-disruptive testing
• Risk-specific recommendations

Network Testing Examples:

• VLAN-hopping
• Firewall policy testing
• DNS tunneling
• ARP poisoning / network sniffing (MITM)
• Plaintext password retrieval
• Downgrading secure connections (SSL, NTLM, RDP)
• VoIP/ToIP traffic interception (if applicable)
• SNMP data extraction using weak community strings

System Testing Examples:

• Vulnerability scanning and simulated attacks
• Cracking of local admin accounts
• Domain user enumeration
• Identification of privileged accounts
• Privilege escalation
• Accessing management interfaces
• Brute-force testing of password policies
• File server data extraction
• Mail service tests (open relays, enumeration, dictionary attacks)

Workstation Security Testing (Without Network Access):

• Simulates theft or loss of laptops/desktops.

Workstation Testing (With User Account Access):

• If a user account is available, tests are performed to assess privilege escalation, system patching, and lateral movement capabilities.

1.6 Deliverables

• Scoping and kick-off session
• Rules of Engagement and NDA
• One-time Pentest Report
• Retesting Report
• Monthly Reports for Semi-Automated Testing
• Final presentation

1.7 Vendor Requirements

• Proven penetration testing experience in regulated environments
• Certifications: OSCP, OSCE, CREST, GPEN, ISO/IEC 27001 LA/LI
• Capability to deliver semi-automated testing solutions
• Fluency in English (and either Dutch or French at a fluent level)
• Cyber liability insurance
• At least 2 client references in a similar context

1.8 Workload and Availability

The engagement is estimated at approximately 55 man-days spread across multiple phases. This is not a full-time position; instead, services will be requested on-demand, based on project needs and scheduling. The team must be available to respond flexibly to planned testing windows and follow-up activities.