About CREST

Welcome to CREST.

CREST is a not for profit organisation that serves the needs of a technical information security marketplace that requires the services of a regulated professional services industry.

CREST represents the technical information security industry by:

  • offering a demonstrable level of assurance of processes and procedures of member organisations
  • validating the competence of their technical security staff
  • providing guidance, standards and opportunities to share and enhance knowledge
  • providing technical security staff recognised professional qualifications and those entering or progressing in the industry with support with on-going professional development

CREST provides organisations wishing to buy penetration testing services with confidence that the work will be carried out by qualified individuals with up to date knowledge, skill and competence of the latest vulnerabilities and techniques used by real attackers.  All examinations used to assess individuals have been reviewed and approved by GCHQ, CESG.  They will also know that the penetration testers are supported by a company with appropriate policies processes and procedures for conducting this type of work and for the protection of client information.

Working alongside the Bank of England (BoE), government and industry, CREST developed a framework to deliver controlled, bespoke, intelligence-led cyber security tests.   STAR (Simulated Target Attack and Response) incorporates penetration testing and threat intelligence services to accurately replicate threats to critical assets. The STAR scheme is a prerequisite for membership of the BoE CBEST scheme, used to provide assurance to the most critical parts of the UK’s financial services.

For those organisations that have experienced a cyber security attack, or are trying to reduce the likelihood or severity of such an attack, CREST has introduced a scheme based on company assessment and professional qualifications which has been endorsed by GCHQ and CPNI.  The scheme focuses on appropriate standards for incident response aligned to demand from all sectors of industry, the wider public sector and academia.  Companies included in this scheme have demonstrated that they have effective policies, processes and procedures in place to help organisations plan for, manage and recover from significant cyber security related incidents.  These companies will also have access to professionally qualified staff in intrusion analysis and reverse engineering.

Penetration testing, STAR and cyber incident response services provided under CREST are also supported by comprehensive codes of conduct for both the company and individual.  These codes are used to ensure the quality of the services provided, the integrity of the companies and individuals and adherence to audited policies, processes and procedures.  This provides a significant level of protection for any organisation procuring these types of services.

CREST is part of a consortium with the IISP and Royal Holloway College to provide examinations for Security Architects under the CESG Certified Professional Scheme.  The introduction of this exam is having a significant impact on the technical security industry and its moves towards professionalisation.

Conducting its own research and working closely with e-Skills, academia and training organisations, CREST provides a structured approach for entry into the industry and professional development pathways for those wishing to progress.

CREST has member companies in a number of countries and a formally established Chapter in Australia that has the full support of the Australian Government.