We create and store unimaginable amounts of data, much of it vital for the running of our national defences and infrastructures, our businesses and our personal lives.
This vast resource is vulnerable to criminals and other malign actors – the people who want to steal, corrupt, delete or hold our data to ransom.
Organisations need to be sure that those employed to test and improve the security of their systems are competent and operate to the highest professional and ethical standards.
Accredited members provide buyers with clear assurances of the quality of their services, their trustworthiness and the technical capability of their staff.
CREST provides buyers with:
Our members offer industry-leading levels of quality assurance and peace of mind for buyers thanks to our rigorous accreditation and professional certification processes.
It is not always immediately clear what cyber security service you may need for your organisation.
To help you we have developed our interactive Buyer Journey which helps you decide what cyber security service you need and puts you in touch with accredited members who can deliver that service.
You can find out more about cyber security disciplines by clicking on the panels at the bottom of the page for a brief introduction on each.
Or, if you prefer, you can click Start you buyer journey below to begin your search.
Penetration testing is a method of testing and evaluating the security of a computer system or network by simulating an attack from malicious parties to identify attack vectors, vulnerabilities and control weaknesses. It involves the use of a variety of manual techniques supported by automated tools and looks to exploit known vulnerabilities and uses the expertise of the tester to identify specific weaknesses in an organisation’s security arrangements.
Intelligence-Led Penetration Testing is the assurance of critical functions that are likely to be subject to sophisticated and persistent attack.
CREST Simulated Target Attack and Response (STAR) intelligence-led penetration tests use threat intelligence to deliver these attack simulations to provide assurance that organisations have appropriate countermeasures and responses to detect and prevent cyber-attack. The tests are carried out by experienced penetration testing providers on all types of organisations and are considered to be the most realistic form of assurance service within the sector. This is combined with a review of the company’s ability to recognise and react to cyber security related attacks.
Threat Intelligence is defined as contextualised output of a strategically driven process of collection and analysis of information pertaining to the identities, goals, motivations, tools and tactics of malicious entities intending to harm or undermine a targeted organisation’s operations, ICT systems or the information flowing through them. Threat Intelligence can often be used to enrich penetration testing services to simulate sophisticated threat actors.
Cyber Incident Response is the term used to describe actions undertaken when a computer network or system is compromised or believed to be compromised. Cyber Security Incident Response (CSIR) organisations can evaluate the situation and undertake the most appropriate actions to allow recovery from, and prevent reoccurrence of, the incident.
A Security Operations Centre (SOC) is a facility where enterprise information systems (e.g. web sites, databases, data centres and servers, networks, etc) are monitored, assessed, and defended. Depending on the nature of the SOC, organisations may offer a variety of services including monitoring, detection, threat hunting, incident management, log analysis, forensic imaging, malware analysis, reverse engineering, mitigation advice and general good practice guidance.
Vulnerability Assessment (VA) is the examination of an information system or product to determine the adequacy of security measures; the identification of security deficiencies; to predict the effectiveness of the proposed security measures; and to confirm the adequacy of such measures after implementation.
CREST OVS is a new quality assurance standard for the web security industry. CREST OVS is aligned to both OWASP’s Application Security Verification Standard (ASVS) and its Mobile Application Security Verification Standard (MASVS).
STAR-FS is a framework for intelligence-led penetration testing of the financial sector.
The framework has been developed to meet the needs of the regulators by ensuring the same level of rigour is applied to them whilst reducing resourcing implications on regulators.
STAR-FS promotes an intelligence-led penetration testing approach that mimics the actions of cyber threat actors’ intent on compromising an organisation’s important business services and the technology assets and people supporting those services. Collaboration, evidence and improvement lie at the heart of STAR-FS as well as a close liaison with key stake holders.
The STAR-FS process utilises commercially available threat intelligence services in order to define realistic and current threat scenarios that will be utilised by the penetration testing teams to replicate real world attacks to operational systems. Risks to these systems are mitigated through the establishment of an internal control group, risk assessment, the accredited policies and processes utilised by the service provider and the skill and competence of the threat intelligence and penetration testing providers.