Quality Management System (QMS) Policy¶
Document ID: BD-QMS-POLICY-001 Version: 1.0 Standard: ISO 9001:2015 (Quality Management Systems) Effective Date: 2026-03-17 Classification: Internal Use
1. Quality Policy Statement¶
BeDefended is committed to delivering high-quality penetration testing services and advisory solutions that meet client expectations and exceed compliance requirements. We achieve this through:
- Consistent Methodology: Standardized 6-phase testing approach (recon, discovery, scanning, testing, verification, reporting)
- Non-Destructive Testing: Rigorous adherence to non-destructive testing principles (no data modification, no DoS)
- Compliance Integrity: All reports include verified findings, CVSS 4.0 scoring, and remediation guidance
- Continuous Improvement: Regular process reviews, client feedback integration, team training
- Customer Focus: Understanding client needs, delivering on-time, exceeding expectations
Policy Commitment: The organization commits to: - Establishing and communicating quality objectives annually - Ensuring competence of all personnel (training, certifications) - Maintaining documented processes for all testing activities - Monitoring process effectiveness through KPIs and audits - Addressing nonconformities and managing improvements
2. Quality Scope¶
2.1 Products & Services Covered¶
- Automated penetration testing (web apps, APIs, infrastructure)
- Manual penetration testing (complex logic, business workflows)
- Compliance reporting (GDPR, HIPAA, NIST 800-53, ISO 27001, FedRAMP, SOC 2)
- Security advisory services (architecture review, secure SDLC)
- Report generation and evidence management
2.2 Scope Exclusions¶
- Client infrastructure (tested but not delivered)
- Third-party vulnerability databases (sourced, not created)
- Post-delivery client remediation (client responsibility)
3. Quality Objectives (ISO 9001:4.4)¶
| Objective | Target | Measurement | Owner | Review |
|---|---|---|---|---|
| Finding Accuracy | ≥99% (verified PoCs) | False positives / total findings | QA Lead | Monthly |
| On-Time Delivery | 100% | Reports delivered by agreed date | Engagement Mgr | Per engagement |
| Client Satisfaction (CSAT) | ≥4.5/5 | Post-engagement survey | Client Success | Quarterly |
| Compliance Coverage | 100% of frameworks requested | Mapping completeness audit | Compliance Officer | Per report |
| Report Quality | ≥95% peer review pass | Defects found in review | QA Lead | Per report |
| Team Competence | 100% current certifications | Cert expiration tracking | HR | Quarterly |
4. Quality Management System Structure¶
4.1 Key Processes¶
Core Processes: 1. Pre-Engagement (Intake): Scope definition, rules of engagement, client expectations 2. Testing Execution: 6-phase methodology, tool integration, evidence capture 3. Verification & Validation: PoC recreation, FP filtering, finding severity review 4. Report Generation: Compliance mapping, finding compilation, client delivery 5. Post-Engagement: CSAT collection, archive, knowledge extraction
Supporting Processes: 1. Process Management: Documentation, workflow updates, training 2. Resource Management: Tool procurement, lab environment, team scheduling 3. Competence & Training: Certification tracking, skill development, knowledge share 4. Monitoring & Measurement: KPI dashboards, audit logging, quality metrics
4.2 Process Documentation Hierarchy¶
Level 1: Quality Policy (this document)
Level 2: Procedures (Change Mgmt, Incident Response, Testing Methodology)
Level 3: Work Instructions (tool usage, report templates, testing checklists)
Level 4: Records (audit logs, test results, client agreements)
5. Roles & Responsibilities¶
| Role | Responsibility |
|---|---|
| Quality Manager | Overall QMS oversight, internal audits, nonconformity management |
| Engagement Manager | Client liaison, scope definition, on-time delivery |
| QA Lead | Peer review, finding verification, report quality checks |
| Pentester | Execute testing per methodology, document evidence, ensure non-destructive testing |
| Report Generator | Compliance mapping, report compilation, template compliance |
| CISO | Approve major process changes, risk oversight |
6. Quality Requirements by Phase¶
Phase 0: Intake & Scoping¶
- [ ] Client intake form completed (business context, tech stack, rules of engagement)
- [ ] Scope defined in writing (included URLs, excluded URLs, testing windows)
- [ ] Authorization verified (contract signed, scope acknowledged)
- [ ] Resource allocation planned (team, timeline, tools)
Phase 1: Reconnaissance¶
- [ ] Passive recon completed (DNS, WHOIS, cert history, historical URLs)
- [ ] Active recon completed (IP enumeration, port scanning, service fingerprinting)
- [ ] Technology stack identified and documented
- [ ] Report:
context.jsongenerated with fingerprint data
Phase 2: Discovery¶
- [ ] Content discovery completed (crawling, fuzzing, parameter discovery)
- [ ] JavaScript sources mapped (endpoints, event handlers, secrets)
- [ ] API endpoints enumerated and documented in
app-map.json - [ ] Hidden files/directories tested (robots.txt, .git, source maps)
Phase 3: Scanning¶
- [ ] Nuclei templates executed (CVE, exposure, misconfig templates)
- [ ] Nikto scans completed (default configurations, security headers)
- [ ] TLS/SSL assessment done (cipher suite, certificate validation)
- [ ] Report:
context.jsonupdated with scan findings
Phase 4: Manual Testing (17 Skills)¶
- [ ] All 17 test skills executed (injection, auth, access control, SSRF, logic, etc.)
- [ ] Each finding has working PoC (verified, non-destructive)
- [ ] Evidence captured (screenshots, HTTP traffic, command output)
- [ ] False positives removed during verification phase
Phase 5: Verification & Reporting¶
- [ ] All findings independently verified (PoC re-created)
- [ ] CVSS 4.0 scores assigned + vectors validated
- [ ] Compliance frameworks mapped (GDPR, HIPAA, NIST, ISO 27001, etc.)
- [ ] Report generated from template (DOCX with injection of compliance sections)
- [ ] Peer review completed (≥1 reviewer, <3% defect rate)
Phase 6: Delivery & Follow-Up¶
- [ ] Report delivered on time (agreed date)
- [ ] CSAT survey sent (target >4.5/5)
- [ ] Evidence archived (secure storage, retention per policy)
- [ ] Knowledge extracted (techniques, lessons learned)
7. Nonconformity & Corrective Action¶
7.1 Types of Nonconformity¶
Severity Levels: - Critical: Finding verification failed, false positive reported, data modified - Major: Report delivered late (>1 day), <90% CSAT, compliance mapping missing - Minor: Formatting error, missing evidence screenshot, documentation unclear
7.2 Corrective Action Process¶
- Detection: Client complaint, internal audit, peer review finding
- Documentation: Log nonconformity (description, severity, root cause hypothesis)
- Investigation: Determine root cause (process failure, competence gap, tool issue)
- Action Plan: Corrective action (process change, retraining, tool upgrade)
- Implementation: Execute action, document evidence
- Verification: Confirm effectiveness (repeat similar scenario, no recurrence)
- Closure: Close nonconformity, update procedures if needed
- Preventive Measures: Identify similar risks, implement preventive controls
Response Timeline: - Critical: Root cause analysis + action plan within 24 hours - Major: Action plan within 3 days - Minor: Action plan within 1 week
8. Internal Audits & Management Review¶
8.1 Internal Audits¶
Frequency: Quarterly Scope: All processes (intake, testing, reporting, delivery) Coverage: ≥1 full testing cycle per quarter
Audit Checklist: - [ ] Intake forms complete and authorized? - [ ] Testing followed 6-phase methodology? - [ ] All findings have verified PoCs? - [ ] Report includes compliance mapping? - [ ] Peer review completed before delivery? - [ ] Evidence properly archived? - [ ] CSAT feedback collected and analyzed?
8.2 Management Review¶
Frequency: Quarterly Attendees: Quality Manager, CISO, Engagement Manager, team leads
Review Topics: - QMS effectiveness (findings, nonconformities, audit results) - Quality objectives status (CSAT, on-time delivery, accuracy) - Customer feedback trends (complaints, suggestions, praise) - Process improvements implemented in previous quarter - Resource adequacy (tools, training, staffing) - Risk register and mitigation status
Output: Management Review Report with action items and assigned owners
9. Customer Focus & Satisfaction¶
9.1 Customer Communication¶
- Pre-Engagement: Kickoff call, scope walkthrough, Q&A
- During: Weekly status updates (phase progress, issue escalations)
- Post-Engagement: Delivery call, report walkthrough, next steps
- Follow-Up: 30-day remediation status check, 90-day post-engagement survey
9.2 Feedback Mechanism¶
- CSAT survey (scale: 1-5 for overall satisfaction, specific aspects)
- Post-engagement interview (lessons learned, suggestions for improvement)
- Continuous feedback channel (support email, issue tracking)
9.3 CSAT Targets & Trending¶
- Target: ≥4.5/5 average CSAT
- Monitoring: Monthly trend analysis
- Action: If CSAT <4.0, root cause analysis + improvement plan required
10. Competence & Training¶
10.1 Competence Requirements¶
All Pentester Staff: - [ ] CEH (Certified Ethical Hacker) or equivalent - [ ] OSCP (Offensive Security Certified Professional) — recommended - [ ] Company-specific training (non-destructive testing rules, tool usage) - [ ] Annual security awareness training - [ ] Role-specific training (development, infrastructure, mobile, web3)
Leadership: - [ ] CISSP or equivalent (CISO, Compliance Officer) - [ ] Project management certification (Engagement Manager) - [ ] Quality auditor training (Quality Manager)
10.2 Training Plan¶
- Annual: Security awareness, compliance updates, tool training
- New Hire: Onboarding (non-destructive rules, company processes, tool labs)
- Skill Development: Certifications, conference attendance, knowledge sharing
11. Continuous Improvement¶
11.1 Improvement Initiatives¶
2026 Improvements: 1. Reduce finding verification time (target: <2 hours per finding) 2. Automate compliance mapping (POA&M generation for each framework) 3. Increase test coverage (target: >85% endpoint coverage) 4. Improve report turnaround (target: <5 days post-testing)
11.2 Improvement Process¶
- Identify: From audits, CSAT feedback, nonconformities, team suggestions
- Prioritize: By impact (CSAT improvement, efficiency gain, risk reduction)
- Plan: Define objective, approach, owner, timeline, success criteria
- Implement: Execute plan, monitor progress
- Verify: Measure results against success criteria
- Document: Update procedures, share lessons learned
12. Policy Approval & Review¶
| Role | Signature | Date |
|---|---|---|
| Quality Manager | _____ | 2026-03-17 |
| CISO | _____ | 2026-03-17 |
| CEO | _____ | 2026-03-17 |
Review Schedule: Annually (Q1) or when significant process changes occur Next Review: 2027-01-15 Status: Approved
Document Control - Owner: Quality Manager - Last Updated: 2026-03-17 - Version: 1.0 - Distribution: All staff + client-facing documentation