Before diving deep into pentesting standards and guidelines, we need to define some important terminology to avoid any confusion or misconceptions about four different terms: policies, standards, procedures, and guidance. All these terms play important roles in information security management, but a clear understanding of the difference between them is essential to avoid using them in the wrong way.

Policies are written documents by high-management level members that specify the responsibilities and required behavior of every individual in an organization. In general, policies are short and don't specify technical aspects, such as operating systems and vendors. If the organization is large, policies could be divided into subpolicies. One of the well-known information security policies is the COBIT 5 Information Security Policy set, as shown here:

Standards are a low-level description of how the organization will enforce the policy. In other words, they are used to maintain a minimum level of effective cybersecurity. They are also mandatory.

Procedures are detailed documents that describe every step required in specific tasks, such as creating a new user or password reset. Every step is mandatory. These procedures must align with the organization's policies.

Guidance or guidelines are a set of recommended tips and useful pieces of advice from hands-on experienced people and institutions. There are many standards and guidelines followed by penetration testers. The following are some of the well-known ones, with the required steps for every standard or guideline.

The Open Source Security Testing Methodology Manual (OSSTMM) is a comprehensive document released by Pete Herzog and distributed by the Institute for Security and Open Methodologies (ISECOM). According to OSSTMM, every penetration testing should include security testing of information, processes, internet technology (port scanning, firewalls, and so on), communications, wireless, and physical environment.

The Information Systems Security Assessment Framework (ISSAF) is a methodology where the penetration tester imitates the hacking steps with some additional phases. It goes through the following phases:

• Information gathering
• Network mapping
• Vulnerability identification
• Penetration
• Gaining access and privilege escalation
• Enumerating further
• Compromising remote users/sites
• Maintaining access
• Covering the tracks

The Penetration Testing Execution Standard (PTES) is a set of technical sections. It helps the penetration tester to deliver an effective pentesting report by walking through the following seven sections:

• Pre-engagement interactions
• Intelligence gathering
• Threat modeling
• Vulnerability analysis
• Exploitation
• Post-exploitation
• Reporting

The Payment Card Industry Data Security Standard (PCI DSS) is an important reference for organizations that are planning to work with major brand credit cards'. It was released in 2014. It is used to assure the security of credit card holders' data and avoid frauds. The compliance is performed once per year by a qualified security assessor, who is provided by the PCI Security Standards Council or internally for small data amount cases. PCI DSS goes through the following four phases:

• Pre-engagement
• Engagement: penetration testing
• Post-engagement
• Reporting and documentation