Why does CREST Exist?


Organizations that have mature cyber security programs will be accustomed to running technical assurance exercises against their applications and infrastructure and understand how to utilize threat intelligence services to support these assessment activities. The same organizations will also understand how to prepare for and respond to cyber security related incidents.

When these services are externally sourced mature buyers understand the need to identify service delivery organizations that are professional and reputable, with appropriate controls in place to manage assignments and protect client information.

These same organizations need to identify people delivering the services who are knowledgeable, capable and experienced.

When these elements are combined with a meaningful contract or code of conduct, buyers are able to achieve a level of confidence that the procurement process has been run in an effective and diligent manner.

From a company perspective, buyers need confidence that their chosen suppliers:

From an individual perspective, buyers need confidence that the person delivering the services:

CREST has built a meaningful company accreditation and individual certification framework that addresses the market’s needs. CREST

accredits companies by conducting detailed audits on their policies, procedures and working practices. CREST certifies individuals by delivering practical and theory based examinations aligned to a series of different technical disciplines. Company Accreditation and Individual Certifications are tied together with powerful codes of conducts. CREST maintains a register of companies and individuals, and breach of the code of conduct can result in members being removed the register.

Through Accrediting Companies and Certifying individuals, CREST provides a meaningful framework for governments, regulators and buyers to procure services against. Once CREST is established in a country or region, it acts as a vehicle to drive quality and skills. Organizations that already deliver quality services are able to use CREST accreditation and certification metrics to demonstrate this capability to the market. Organizations that are looking to develop new services in this area, have a tangible and meaningful framework to aspire towards. Through the accreditation and certification guidance that is available to prospective CREST member companies, they are able to develop their capabilities and align them to the market’s needs.

In order to counter the risk of cyber-attack it is also essential that the industry works together and shares best practice and knowledge. It is also essential to have in place developmental activities that help professionals working in the industry to obtain and maintain the knowledge that need to work in this fast changing environment. CREST acts as a focus for the development of best practice and professional development activities through its collaborative research activities.