The red team test plan shall include information on all of the following:
(i) communication channels and procedures;
(ii) the tactics, techniques and procedures allowed and not-allowed for use in the attack including ethical boundaries for social engineering, and how the privacy of involved parties is being safeguarded;
(iii) risk management measures to be followed by the testers;
(iv) a description for each scenario, including:
a. the simulated threat actor;
b. their intent, motivation and goals;
c. the target function(s) and the supporting ICT system or systems;
d. the targeted confidentiality, integrity, availability and authenticity aspects;
e. flags;
(v) a detailed description of each expected attack path, including pre-requisites and possible leg-ups to be provided by the control team, including deadlines for their provision and potential usage;
(vi) scheduling of red teaming activities, including time planning for the execution of each scenario, at a minimum split according to t
…