14.9.1The Licensed Person must conduct internal and external vulnerability scanning and penetration tests on the network and systems on an annual basis at a minimum and take appropriate mitigating actions in order to address the issues identified during such tests; and
14.9.2The strength of the information security controls and IT Security controls must be audited by external experts at regular intervals, annually at a minimum, depending on the nature, size and complexity of the business.