G-7 FUNDAMENTAL ELEMENTS FOR THREAT-LED PENETRATION TESTING
Executive Summary
In light of the increasing sophistication and persistence of cyber risks, which can threaten to
disrupt our interconnected global financial systems, the G-7 continues to promote the
development of frameworks to enhance public and private sector approaches to strengthening
cyber resilience of critical entities in the financial system following its publication in 2016 of the
G-7 Fundamental Elements of Cybersecurity for the Financial Sector (“G7FE”).
These efforts include steps to ensure strong cyber resilience measures are assessed and evaluated,
as highlighted by the G-7 Fundamental Elements for Effective Assessment of Cybersecurity in
the Financial Sector (“G7FE-Assessment”), published in 2017. The G7FE-Assessment included
components to consider and embed when developing cyber resilience assessment frameworks.
The G-7 Fundamental Elements for Threat-Led Penetration Testing (G7FE-TLPT) provide
entities with a guide for the assessment of their resilience against malicious cyber incidents
through simulation and a guide for authorities considering the use of Threat-Led Penetration
Testing (TLPT) within their jurisdictions. These fundamental elements are intended to
complement a wider suite of cyber resilience assessment tools and techniques, and are not meant
to be considered as a singular approach.
The core objectives of the G7FE-TLPT are to enhance and assess the cyber resilience of entities
and the financial sector more generally, by:
Providing core elements of and approaches for the conduct of TLPT across G-7
jurisdictions. The G7FE-TLPT aim to facilitate greater compatibility among TLPT
approaches, whilst also encouraging flexibility and local tailoring based on the unique
markets and regulations within each jurisdiction;
Providing a guide to authorities considering the use of TLPT within their jurisdiction;
Providing a guide to entities with respect to conducting their own TLPT assessments; and
Supporting cross-authority interaction and cross-jurisdictional TLPT for multinational
entities, facilitating mutual acceptance of test results.
The G7FE-TLPT seek to drive greater compatibility among TLPT approaches and do not
invalidate existing frameworks or prevent their continuous adaptations to the evolving threat
landscape.
TLP WHITE: Subject to standard copyright rules, this document may be distributed freely, without restriction.
1