SECOND SCHEDULE
Sections 2(1) and 47(1)
Licensable cybersecurity services
1.  The following cybersecurity services are licensable cybersecurity services for the purposes of this Act:
(a)managed security operations centre (SOC) monitoring service;
(b)penetration testing service.
2.  In this Schedule —
“managed security operations centre (SOC) monitoring service” means a service for the monitoring of the level of cybersecurity of a computer or computer system of another person by acquiring, identifying and scanning information that is stored in, processed by, or transmitted through the computer or computer system for the purpose of identifying cybersecurity threats to the computer or computer system;
“penetration testing service” means a service for assessing, testing or evaluating the level of cybersecurity of a computer or computer system, by searching for vulnerabilities in, and compromising, the cybersecurity defences of the computer or computer system, and includes any of the following activities:
(a)determining the cybersecurity vulnerabilities of a computer or computer system, and demonstrating how such vulnerabilities may be exploited and taken advantage of;
(b)determining or testing the organisation’s ability to identify and respond to cybersecurity incidents through simulation of attempts to penetrate the cybersecurity defences of the computer or computer system;
(c)identifying and quantifying the cybersecurity vulnerabilities of a computer or computer system, indicating vulnerabilities and providing appropriate mitigation procedures required to eliminate vulnerabilities or to reduce vulnerabilities to an acceptable level of risk;
(d)utilising social engineering to assess the level of vulnerability of an organisation to cybersecurity threats.