CREST Company Membership Application Form is available here:

CREST Company Membership Application Form.

CREST operates as both a trade body and a professional body.

The trade body is made up of penetration testing companies paying an annual fee to CREST and meeting specified criteria of professionalism. The trade body is largely governed by elected representatives of CREST companies plus a small number of representatives from nominated external bodies. There are two levels of company membership:

* CREST Member Companies.

* CREST Associate Companies.

Together these are collectively referred to as CREST Companies.

The professional body is made up of penetration testers who have passed the CREST Certification Examination. The professional body is governed by the trade body but also provides for individuals who are not employed by CREST Companies.

CREST Company Membership levels.

Company Membership
























Penetration Test companies join CREST as a CREST Associate Company by providing the following:

- Signed confirmation that they accept the CREST Code of Practice.

- Signed confirmation that they operate in accordance with a written company methodology that meets the CREST Methodology Requirements.

- Material as required by the CREST application process and risk assessment.

- Payment of the applicable subscription fee.

CREST Associate Companies may change their status to that of CREST Member Company by employing a CREST Consultant or through having one of their employees meet the requirements of a CREST Consultant. For the avoidance of doubt, employment means to be on the company books, paid through PAYE - part-time employees count, but contractors who operate through a separate company (limited or otherwise) or as a sole trader do not. CREST Consultants can only affect the status of one CREST Company at a time.

Should a CREST Member Company no longer employ a CREST Consultant then it will change status to that of CREST Associate Company. CREST Companies must notify CREST at least one week prior to their last CREST Consultant leaving their employment. In cases of instant dismissal CREST must be notified within one working day.

CREST recognises that clients hiring penetration testing services rely not only on the technical expertise of the individual penetration testers but also on the ability and discretion of the employing organisation to maintain the security of their sensitive information. CREST application is a rigorous process specifically designed to ensure the probity of CREST member companies.

Therefore CREST companies may be required to provide additional evidence to support their application. The exact nature of the evidence required will depend on the outcome of the CREST application process and risk assessment. Full details will be available shortly.

CREST Individual Membership

In order to become a CREST Consultant, an individual must pass the CREST Certification Examination.

This section details how examinations affect CREST individual membership levels.

Company Membership













Individuals Progression

CREST Consultant and Associate status can change during an individuals certification or grandfathering validity period, depending on the employment status of the individual.

Note that the CTL grandfathering period is open only until 31/12/08.

Individual membership of CREST is subject to CREST membership criteria.

Penetration testers can become CREST Consultants by passing the CREST Certification Examination.

Individuals not employed by CREST Companies can take the CREST Certification Examination to become CREST Associates, but cannot undertake CREST approved testing without working under the auspices of a CREST member company.

Only CREST Consultants working for and vetted by a CREST Company can undertake CREST approved tests.

CREST Consultants are eligible to take CREST specialisation examinations. These examination passes will last for lengths of time dictated by the particular specialisations. CREST Consultants are permitted to take as many CREST specialisation examinations as they choose, and will be referred to as a CREST Consultants with specialisation in XYZ.

CREST aims to provide a number of career progression options for security testers. Initially, CREST plans to introduce a Foundation Examination which will be a pre-requisite to taking the practical exam. This will take the form of a multiple choice exam with questions drawn from the CREST technical syllabus. This exam will allow a penetration tester to demonstrate basic knowledge of penetration testing and is aimed primarily at individuals in the early part of their career in the security testing industry.

Employment and Vetting

In to maintain the standards relating to the handling of sensitive client information, a CREST Consultant must be employed by a CREST Company and vetted to CREST Standards. Once the results are lodged with CREST, then the individual can undertake CREST Approved testing.

If a CREST Consultant leaves employment with a CREST Company, then the individual cannot undertake CREST Approved testing, as CREST cannot verify that information relating to the test will be handled in line with CREST's standards.

Examination cycles and Reversion

CREST Certification Examination passes last for 3 years. CREST Consultants must apply for an examination place at least two months prior to their qualification expiring in order to remain current. During times of high demand, it may not be possible for an examination place to be offered prior to the qualification expiring. In these cases (and as long as the place was applied for at least two months prior to expiry)

CREST will grant a temporary extension up until the accepted examination place.

CREST Consultants who fail to pass their re-test before the expiry of their qualification (including any temporary extensions) will not be able to use the title CREST Consultants.

Grandfathering

Individuals with a current CHECK Team Leader qualification and employed by a CREST Company at the inception of CREST will be granted CREST Consultant status. This temporary status will last until 1 year after the inception of CREST. Should an individual who has been grandfathered via this route not pass the CREST Certification Examination before the temporary certification expires then they will lose CREST Consultant status.

CREST Approved Tests

CREST Member Companies can conduct CREST Approved Testing. CREST Approved Testing has the following requirements:

* CREST Approved Testing can only be undertaken by CREST Member Companies.

* Each CREST Approved Test must be led by a CREST Consultant who is on-site at the test location for the duration of the test. CREST Member Companies can contract CREST Consultants to undertake CREST Approved Tests.

* CREST Approved Tests that involve simultaneous tests at multiple locations require a CREST Consultant on-site at each location (for the duration of the tests) to lead the tests at each location.

* CREST Approved Tests conducted from CREST Company laboratories require a CREST Consultant on-site at the CREST Company laboratory to lead the tests, although it is acceptable for one CREST Certified Consultant to lead more than one test conducted from the same CREST Company laboratory simultaneously.

* All penetration testers used on CREST Approved Tests must be CREST Professionals or penetration testers employed by CREST Companies. All penetration testers used on CREST Approved Tests must have been vetted to the CREST Vetting Standards and the results of the vetting should be lodged with CREST prior to the test commencing.

* The CREST Consultant or leading the test takes responsibility for all penetration testers used on the test and is therefore urged to ensure that all such penetration testers are suitably qualified and managed to mitigate any risks arising.

There should be no scope for any company (whether in CREST or not) advertising or undertaking "CREST like" tests. Penetration tests that are not CREST Approved Tests will not necessarily be conducted in accordance with the CREST methodology requirements, or CREST Code of Practice, or be led by a CREST Consultant or be conducted wholly by testers who have been vetted to CREST standards. They will also not be subject to the CREST complaint and auditing procedures.

Any company offering a "CREST-like" test may therefore be subject to legal challenges for misrepresentation and/or misuse of the trade mark.
© Copyright 2008. All rights reserved |Crest (GB)