**10.1 Prepare**

Preparation includes planning, risk assessment, policy, business continuity planning, countermeasure deployment, training, education and accreditation. These are all essential in optimizing our readiness for cyber attacks.

Accreditation is a particularly interesting term in this context. Security accreditation is management acceptance of the risks associated with a system. This is no small responsibility in the event of an attack. To increase assurance and reduce associated risk, a thorough penetration test should be carried out as standard part of an accreditation process. Conducting a penetration test is effectively paying someone to hack your organization's systems. A skilled penetration tester will be able to locate vulnerabilities and advise on cost effective ways to reduce their risk. Organizations should be careful of individuals marketing themselves as penetration testers without the appropriate skills. A tester should carry recognizable certifications (GIAC, CEH, etc.) and be a member of an accredited or approved organization (such as (ISC)2) that requires a member code of ethics.

After the test, a report should be provided which will indicate the specific vulnerabilities found with suitable fixes, and recommend process improvements that will reduce the risk of future vulnerabilities going unchecked.
