CSA and AISP to collaborate with CREST to introduce penetration testing certifications in Singapore

October 2015

Penetration testing is an important undertaking to assess and improve the Cyber Security posture of organisations. By identifying and exploiting vulnerabilities, penetration testers could surface recommendations to harden the security of important ICT systems.  Qualified and competent penetration testing professionals and service providers are necessary to improve the readiness of ICT systems against sophisticated cyber threats.

The Cyber Security Agency of Singapore, the Association of Information Security Professionals (AISP) and CREST International have signed a Memorandum of Intent (MOI) to work together to introduce CREST certifications in Singapore. The Cyber Security Agency of Singapore (CSA) will provide funding for AISP, a local body for Information Security professionals, to work with CREST International, a UK-head quartered non-profit organisation, to establish a CREST Singapore Chapter and offer penetration testing certifications. This initiative was developed in collaboration with the Monetary Authority of Singapore (MAS), the Association of Banks in Singapore (ABS) and the Infocomm Development Authority of Singapore (IDA). 

CREST certifications for penetration testing would offer transparent and open standards that serve as a competency baseline for practicing professionals and service providers. In the UK and Australia, CREST certifications are the prevailing industry standards for penetration testing, with the standards being endorsed by the government. By introducing these certifications in Singapore, this could grow local capabilities and provide assurance for professionals and service providers that perform penetration tests.

Mr David Koh, Chief Executive of CSA, said, “We see internationally recognised certifications such as CREST as an important tool to grow the indigenous core of Cyber Security professionals. By introducing CREST certifications in Singapore, we want to enhance the competencies of penetration testers and raise their professionalism.”

Mr Wally Lee, President of AISP, said, “CREST certifications are useful to ……”

Mr Rowland Johnson, Director of CREST International, said, “CREST is delighted to work with the CSA and AISP to develop penetration testing standards in Singapore.  Through the provision of CREST accredited companies and CREST certified professionals, we will be able to deliver increased levels of confidence to the buying community, the regulators and the government.  CREST is working hard to professionalise the cyber security testing sector and through development of a local chapter in Singapore, it will be possible to achieve consistently high standards across the region.”

Mr Ravi Menon, Managing Director of MAS, welcomed the development. He said, “In the financial sector, MAS has…..”

Mrs Ong-Ang Ai Boon, Director of the ABS  said, “CREST will provide financial institutions and outsourced service providers a better assurance on the quality of penetration testing services and in turn enhance the overall cyber security posture of banks in Singapore.”

Ms Jacqueline Poh, Managing Director of the Infocomm Development Authority of Singapore (IDA) said, “In the Government sector, IDA has …”

With the signing of the MOI, AISP and CREST International would work together, with the support of CSA, to offer CREST certifications for professionals and service providers by the third quarter of 2016.


Jointly issued by the Cyber Security Agency of Singapore (CSA), Association of Information Security Professionals (AISP) and CREST International


Related resources

Annex: CREST certifications in Singapore

About Cyber Security Agency of Singapore (CSA)

The CSA is the national body overseeing cyber security strategy, education and outreach, and industry development. It reports to the Prime Minister’s Office and is managed by the Ministry of Communications and Information.

The roles of CSA are:

a) Engagement and outreach – Nurturing ties with local and global industry and thought leaders, heightening cyber security awareness through public outreach programmes, and promoting security-by-design

b) Industry development – Developing a robust cyber security ecosystem, i.e. a vibrant industry equipped with the manpower to respond to and mitigate cyber attacks

c) Protecting critical sectors – Strengthening cyber security in our critical sectors, such as energy, water, and banking

d) Operations – Ensuring effective coordination and deployment in our response to cyber threats

About Association of Information Security Professionals (AISP)

The AISP is a Government and Industry collaboration which aims to transform Infocomm Security into a distinguished profession and build a critical pool of competent Infocomm security professionals who subscribe to the highest professional standards.  The AISP was registered with the assistance of the Singapore Computer Society (SCS) and the strong support of the Infocomm Development Authority of Singapore (iDA) in February 2008.

It was officially launched on 17 April 2008 by Dr Vivian Balakrishnan, the then Minister for Community Development, Youth and Sports.

AISP aims to:

a) To promote, develop, support and enhance the integrity, technical competence, management expertise, status and interests of Information Security professionals in Singapore.

b) To promote the development and dissemination of Information Security knowledge and related topics.


Formed in 2006 and headquartered in the UK, CREST had helped to achieve a competency baseline across the penetration testing and other cyber assurance services in UK. CREST certifications and schemes now form the backbone of the UK technical cyber assurance market for both public and private sectors.  As of September 2015, there are more than 60 member companies, ranging from boutique SMEs to multinational companies operating across all major regions. CREST has also expanded beyond UK with a CREST chapter established in Australia under the full support of the Australian Government. The Australian CREST chapter has 18 members currently. In addition, CREST has member companies that are dedicated to serving markets in a number of mainland European countries from Holland to Greece. It also has members operating in South Africa, Singapore, Malaysia and the USA.


Factsheet on CREST certifications in Singapore

CREST International has a range of certifications that include Penetration Testing, Incident Response, Malware Analysis and wider Information Security Architecture in the UK. Penetration testing certifications will be introduced first in Singapore, with more certifications potentially being rolled out subsequently.

CREST certifications for penetration testing would provide transparent and open standards that serve as a competency baseline for practicing professionals and service providers.

CREST certifications for penetration testing provide assurance on:

a. Service providers. This is in the form of validating their policies and procedures; technical security methodologies, reporting and data handling; validating private indemnity and public insurance coverage, employee background checks to ensure that trustworthy and competent employees are used on CREST penetration testing engagements; and

b. Professionals. This is in the form of assessing their technical skills and knowledge, understanding of legal and regulatory frameworks, communication skills and information security knowledge.