CREST is a not-for-profit accreditation and certification body that represents and supports the technical information security market. CREST was set up in 2006 in response to the clear need for more regulated professional services and is now recognised globally as the cyber assurance body for the technical security industry.

CREST provides internationally recognized accreditations for organisations and individuals providing penetration testing, cyber incident response and threat intelligence services. All CREST member companies undergo stringent assessment; while CREST qualified individuals have to pass rigorous professional level examinations to demonstrate knowledge, skill and competence. CREST also supports the industry by providing in-depth guidance material and commissioning detailed research projects all of which is provided to the industry free of charge.

CREST provides organisations wishing to buy penetration testing services with confidence that the work will be carried out by qualified individuals with up to date knowledge, skill and competence of the latest vulnerabilities and techniques used by real attackers. All examinations used to assess individuals have been reviewed and approved by GCHQ, NCSC. They will also know that the penetration testers are supported by a company with appropriate policies processes and procedures for conducting this type of work and for the protection of client information.

Working alongside the Bank of England (BoE), government and industry, CREST developed a framework to deliver controlled, bespoke, intelligence-led cyber security tests. STAR (Simulated Targeted Attack and Response) incorporates penetration testing and threat intelligence services to accurately replicate threats to critical assets. The STAR tests use Threat Intelligence to deliver these attack simulations to provide assurance that organisations have appropriate countermeasures and responses to detect and prevent cyber attack. The STAR scheme is a prerequisite for membership of the BoE CBEST scheme, used to provide assurance to the most critical parts of the UK’s financial services.

For those organisations that have experienced a cyber security incident, or are trying to reduce the likelihood or severity of such an attack, CREST has introduced a scheme based on company assessment and professional qualifications which has been endorsed by GCHQ and CPNI. The CREST Cyber Security Incident Response scheme focuses on appropriate standards for incident response aligned to demand from all sectors of industry, the wider public sector and academia. Companies included in this scheme have demonstrated that they have effective policies, processes and procedures in place to help organisations plan for, manage and recover from significant cyber security related incidents. These companies will also have access to professionally qualified staff in intrusion analysis and reverse engineering.

CREST also accredit SOC providers. This accreditation discipline helps the buying community understand how SOC’s work. The key criteria required in an effective service will, in particular, enable the buying community to differentiate the services provided. The scheme provides existing and potential members with a tangible differentiator to help them attract clients. There are differences on the SOC accreditation to our other disciplines. The main one being that the application process will consist of three steps: Application Form, External Validation and Technical Assessment.  There is further information here.

Penetration testing, STAR, SOC and cyber incident response services provided under CREST are also supported by comprehensive Codes of Conduct for both the company and individual. These codes are used to ensure the quality of the services provided, the integrity of the companies and individuals and adherence to audited policies, processes and procedures. This provides a significant level of protection for any organisation procuring these types of services.

CREST is part of a consortium with CIISec and Royal Holloway College to provide examinations for Security Architects under the NCSC Certified Professional Scheme. The introduction of this exam is having a significant impact on the technical security industry and its moves towards professionalisation.

Conducting its own research and working closely with other organisations including academia and training, CREST provides a structured approach for entry into the industry and professional development pathways for those wishing to progress.

Background information on CREST is available to download here: