In accordance with CREST’s stated aim ‘to increase professionalism in the security testing industry’, CREST places requirements on member companies in order to ensure that a consistent standard of testing services are delivered.
The requirements fall into 4 main areas:
Prior to applying to join CREST, prospective member companies are encouraged to review the requirements documents and ascertain their compliance status.
Prospective CREST Member Companies can apply for membership in any or all of the following disciplines:
After receipt of an expression of interest, CREST will send you a documentation pack containing:
The company membership application form is a comprehensive form requiring a prospective member company to self-certify that they are compliant with the various CREST requirements.
During the application process, we will require copies of the certain documents. These include:
Please consult our Frequently Asked Questions document regarding completion of the application form.
Prospective Member Evaluation
Companies can apply for assessment for their penetration testing services and/or their cyber security incident response services. The same membership fee applies whether a company seeks assessment to one or both disciplines.
CREST carries out an assessment of your application based on the information provided in your application form following which CREST reserves the right to carry out an audit of your processes and procedures against the CREST standards.
Your point of contact will be kept informed during this process in order that any issues may be resolved.
In the event of a membership application not meeting the guidelines, further supporting evidence will be requested for review, prior to a decision being made.
Start Date and Duration of Membership
You will be notified when your application has been approved. Your membership will start immediately upon notification and will be valid for one year. Notification will be made via email to your point of contact as provided in the company application form.
At the start of your membership, a certificate will be sent to the point of contact provided in your application form and your company details will be posted on this website.
Use of Contractors for CREST tests
CREST does not prohibit the use of contractors on CREST tests. However, it is essential that all members of a CREST test follow CREST standards for test conduct and methodology and confirmation of this is included in the membership application form.
To this end we require that contractors agree to follow the CREST approved procedures and methodologies of the company to which they are contracting. This must be agreed in writing and form part of the contract, along with any further conditions as required by the end client.
Full details are available from email@example.com.
CREST membership costs £7,000 per year. There is a £400 assessment fee for company membership. This includes all support and liaison with CREST regarding the application. The fee will cover both Cyber Incident Response membership and Penetration Testing membership. There is no discount for applying for only one of the membership categories.
For existing CREST member companies there will be no additional membership charge although an administration fee of £250 will be levied against existing CREST members seeking assessment under an additional category.
CREST reserves the right to conduct a full assessment every three years requiring a full re-submission of all documents. If called for, there will be an assessment fee of £750 for this.
Applying for CREST company membership
If you wish to become a CREST member company please register your interest by emailing firstname.lastname@example.org.