Anyone with a computer and an Internet connection can set themselves up as a penetration testing or cyber incident response service provider. These could include irresponsible organisations that do not have in place policies, processes and procedures to ensure quality of service and protection of client based information. The individuals employed by these companies may have no demonstrable skill, knowledge or competence but an impressive CV. This makes the procurement of these important services difficult and problematic.
The buying community needs to be in a position where it can procure services from a trusted company with access to demonstrably professional technical security staff. CREST provides the buying community with a clear indication of the quality of the organisation and the technical capability of staff they have access to.
All CREST member companies have submitted policies, processes and procedures relating to their service provision to CREST. These policies, processes and procedures have been assessed by CREST and have been deemed fit for purpose. Re- submission is required every year and CREST reserve the right to conduct a full re-assessment every three years to ensure currency. The CREST member company signs up to a binding and enforceable company code of conduct that ties them to their CREST submission. They also agree to align their complaints process with that of CREST. This forms the basis of any complaint resolution. The CREST Complaints and Resolution Measure can be found here.
CREST Certified professionals have passed an industry recognised set of examinations to test their skill, knowledge and competence. These individuals will typically have at least 10,000 hours (5 years plus) regular and frequent experience. These individuals are capable of working independently, running full testing programmes and managing and co-ordinating teams.
CREST Registered professionals have passed an industry recognised set of examinations to test their skill knowledge and competence. These individuals will typically have at least 6,000 hours (3 years plus) relevant and frequent experience and be in a position to work independently on assignments.
All CREST qualifications have been reviewed and endorsed by the UK Government, CESG.
Both Certified and Registered professionals have to re-sit the examinations every three years.
All those holding a CREST qualification have signed a personal code of conduct. This ensures that they act in an ethical manner and adher to the policies, processes and procedures of the CREST Member company they are working for.
CREST also produce independent research and publications designed to support the buying community.
The combination of independently assessed companies with access to professionally qualified staff underpinned by effective and meaningful Codes of Conduct provide the buying community with confidence in the services that they wish to procure.