Book doctors, shop health and beauty products, and access trusted health content — in 110 languages. All in one place.

Your cart

Your cart is empty

Continue shopping

Penetration Testing and Cybersecurity Assurance

CliniciansCheck Version 1.0 | Published: 29 May 2025 | Status: Active Next Review Due: 29 November 2025 Policy Owner: Chief Information Security Officer (CISO) Approved by: Board Governance Committee Jurisdiction: Global – UK, EU, US, Canada, Australia, Singapore, India

1. Purpose
1.1 This policy outlines how CliniciansCheck proactively protects its systems, infrastructure, data, and users through ongoing cybersecurity measures, including regular penetration testing, vulnerability assessments, and risk remediation practices.

1.2 It reflects our commitment to platform security, resilience against cyber threats, and compliance with regulatory frameworks such as GDPR, HIPAA, NHS DTAC, and international security standards including ISO/IEC 27001 and NIST.

2. Scope
2.1 This policy applies to all infrastructure, applications, systems, and services operated by CliniciansCheck or its approved technology partners.

2.2 It also applies to all internal teams, administrators, external vendors, contractors, and partners involved in software development, data handling, or system management.

3. Security Testing Principles
3.1 CliniciansCheck follows a layered security model using defence-in-depth, least privilege access, and continuous monitoring.

3.2 Cybersecurity assurance is embedded throughout the development and operational lifecycle of the platform.

3.3 Penetration testing is a mandatory component of our assurance framework and is performed routinely by qualified security professionals.

4. Penetration Testing Policy
4.1 Penetration testing is conducted at least annually, or more frequently in the following situations: a. Major platform upgrades or infrastructure changes b. Detection of a serious vulnerability c. Regulatory requirement or contractual obligation d. Security incident or near miss

4.2 Tests include application-layer testing, network-layer testing, role-based access assessments, data isolation checks, and simulated attack scenarios.

4.3 CliniciansCheck uses a combination of internal security personnel and certified third-party specialists to ensure objectivity and depth.

4.4 All penetration tests are planned, authorised, and conducted under strict non-disruption protocols.

5. Vulnerability Management and Response
5.1 All vulnerabilities identified during testing are triaged based on risk level, business impact, and exploitability.

5.2 Critical vulnerabilities are addressed immediately, and high-risk items are remediated within strict timeframes based on severity.

5.3 Patching, configuration changes, and compensating controls are deployed as required, with detailed tracking and sign-off from the CISO or delegated technical lead.

5.4 Affected systems may be taken offline or placed under restricted access until the issue is resolved.

6. Security Testing Standards and Alignment
6.1 CliniciansCheck’s penetration testing and security assurance protocols follow recognised industry frameworks, including:

6.2 OWASP Testing Guide (Web and API Security) 6.3 ISO/IEC 27001 Information Security Management 6.4 NHS DTAC (Digital Technology Assessment Criteria) 6.5 NIST SP 800-53 and 800-115 6.6 CREST-accredited third-party test providers 6.7 GDPR Article 32 (Security of Processing) 6.8 HIPAA Security Rule (Administrative, Technical, and Physical Safeguards)

7. Internal Security Assurance
7.1 In addition to external penetration tests, CliniciansCheck maintains: a. Continuous vulnerability scanning b. Automated code security checks in the software development pipeline c. Threat intelligence integration and zero-day monitoring d. Incident simulation and response rehearsals at least twice per year

7.2 Logs from security testing activities are retained, encrypted, and protected for at least six years, and made available to regulators or auditors upon lawful request.

8. User Protection and Responsibility
8.1 Users, clinicians, and vendors are encouraged to report suspected vulnerabilities via the official reporting channels outlined in the Vulnerability Disclosure Policy.

8.2 All user accounts are protected by two-factor authentication (2FA) and password strength policies, and must not be shared or reused.

8.3 Any user account found compromised or abused will be suspended immediately pending investigation.

9. Contact and Escalation
9.1 Security-related questions, vulnerability reports, or urgent risks should be submitted directly to: Email: operationsteam@clinicianscheck.com

9.2 All reports are reviewed by the Information Security team within one business day and escalated as necessary.

10. Version Control
10.1 Version: 1.0 10.2 Date Published: 29 May 2025 10.3 Status: Active 10.4 Next Scheduled Review: 29 November 2025 10.5 Policy Owner: Chief Information Security Officer (CISO) 10.6 Approved By: Board Governance Committee 10.7 Contact Email: operationsteam@clinicianscheck.com 10.8 Applies To: All internal teams, vendors, developers, administrators, and external security testers