Join the Webinar | Strong Protection Against Cyber Threats

BRSA Compliant Penetration Test

BRSA (Banking Regulation and Supervision Agency); It is an autonomous public institution that regulates and supervises the activities of banks, financial institutions and companies. Nearly 200 institutions and organizations such as domestic banks, foreign bank representatives, financing companies and card organizations are subject to BRSA audit.


With ISO 27001 certification;

  • Information is protected against unauthorized access,
  • Confidentiality of information is ensured,
  • Information will not be shared with unauthorized persons,
  • The integrity of the information is ensured and authorized users can access the information when needed,
  • It is ensured that employees are provided with information security training and that all information security vulnerabilities and suspected weak points are reported to responsible persons.



BRSA Compliant Pentest Scope


Since the most critical security attacks focus on the banking and finance sector, it has become mandatory for the banking and finance sector to have a BRSA-compliant penetration test performed by the BRSA. With the desired penetration test scope, institutions;

  • Wireless Network Systems
  • Code Analysis
  • ATM Systems
  • Internal Penetration Test
  •  Database Systems
  • Social Engineering
  • Mobile Applications
  • Communication Infrastructure and Active Devices
  • Domain and User Computers
  • Distributed Disconnection Tests
  • DNS Service
  • Web Applications
  • Email Services

is examined and the report generated is audited by BRSA.

What is ISO 27001 Information Security Management System?

Information Security Management System (ISMS) was established under BRSA, Data and System Management Department. It is inspected and certified by independently audited organizations for compliance with ISO/IEC 27001:2013 standards.


Frequently Asked Questions About BRSA Compliant Penetration Testing

What are the Methods and Tools Used in BRSA Compliant Penetration Testing?

The difference of BRSA Compliant Penetration Testing from other penetration tests in terms of test stages, methods and tools used is the test scope and the obligations of both the institutions performing the test and the institutions that have it performed. For this reason, the methods and tools mentioned in our other "Penetration Testing" articles on our site are examples of the methods and tools used in BRSA Compliant Penetration Tests.

What Should Be the Scope of BRSA Compliant Penetration Testing?

As stated in the same communiqué, Minimum Penetration Test scope: Communication Infrastructure and Active Devices DNS Services Domain and User Computers E-mail Services Database Systems Web Applications Mobile Applications Wireless Network Systems ATM Systems Distributed Denial of Service Tests Code Analysis Social Engineering Internal Penetration Test (Intranet) Security Checkup)

Why Should I Have a BRSA Compliant Penetration Test?

The banking and finance sector has become the target of the biggest cyber attacks both in our country and around the world. Banks in our country are independent in accordance with subparagraph (ç) of the third paragraph of the Communiqué of the Banking Regulation and Supervision Agency dated 24.07.2012 and numbered B.02.1.BDK. “Communiqué on the Principles to be Based on the Management of Information Systems in Banks”. The teams are obliged to have a penetration test performed once a year.