Qualified internal resources or a qualified third party may perform the penetration test as long as they are organizationally independent. This means the penetration tester must be organizationally