RBC’s feedback relates to the subchapter 7 (Information security reviews, assessment and testing) and the requirement for penetration testing for critical IT systems to be every year and non critical every 3 years.
We would request that the scope (Critical/Non-Critical IT systems) and the testing frequency is not defined. This will allow organizations more flexibility and also to take a risk based approach to effective identification of ICT threats.
At RBC penetration testing is conducted on all external-facing applications before go live, annually, and when there is material changes to these applications. We test external-facing applications because these are viewed as the having high risk exposure to threat actor operations. Therefore we feel external facing applications rather than the criticality of the application would be more reasonable for taking a targeted approach to penetration testing.