TestingU.K.
14.—(1) A network provider or service provider must at appropriate intervals carry out, or arrange for a suitable person to carry out, such tests in relation to the network or service as are appropriate and proportionate for the purpose of identifying the risks of security compromises occurring in relation to the public electronic communications network or public electronic communications service.
(2) The tests must involve simulating, so far as is possible, techniques that might be expected to be used by a person seeking to cause a security compromise.
(3) The network provider or service provider must ensure, so far as is reasonably practicable—
(a)that the manner in which the tests are to be carried out is not made known to the persons involved in identifying and responding to the risks of security compromises occurring in relation to the network or service or the persons supplying any equipment to be tested, and
(b)that measures are taken to prevent any of the persons mentioned in sub-paragraph (a) being able to anticipate the tests to be carried out.
(4) The references to tests in relation to the network or service include references to tests in relation to—
(a)the competence and skills of persons involved in the provision of the network or service, and
(b)the possibility of unauthorised access to places where the network provider or service provider keeps equipment used for the purposes of the network or service.