CREST Codes of Conduct

A Code of Conduct sets out the principles, values, standards and rules of behaviour that guide decisions, procedures and systems in a way that contributes to the welfare of clients and respects the rights of all constituents affected by such operations.

Those involved in providing technical information security advice and services hold the role of trusted advisers and there are duties arising from this role and obligations owed to others. This activity is outcomes-focused and concentrates on providing positive outcomes which when achieved will benefit and protect clients.

No Code can foresee or address every issue or ethical dilemma which may arise and Member Companies and CREST Qualified Individuals must uphold the intention of the Codes as well as their letter.

The CREST Codes of Conduct

The CREST Codes of Conduct contains basic principles of good business practice and ethics which are all-pervasive. They describe the standards of practice expected of Member Companies and individuals holding CREST certifications.

The Codes of Conduct set out our conduct requirements to enable Member Companies and Individuals holding CREST Qualifications to consider how best to achieve the right outcomes for their clients.

For Member Companies this means conduct as described in, but not limited to, the submission made to CREST for membership: It is incumbent upon the company to ensure that all relevant staff, contractors and partners are aware of the policies, processes and procedures submitted and reviewed by CREST.

For CREST Qualified Individuals this means that when providing services to a CREST Member Company, it is incumbent upon them to familiarise themselves and comply with the policies, processes and procedures of that CREST Member Company as they will be held to account for their actions.

The Codes are underpinned by effective client complaints handling measures.

Member Companies and CREST Qualified Individuals are expected to exercise their own judgement, which should be made in such a way as to be reasonably justified, to meet the requirements of the CREST Codes of Conduct and should seek advice from CREST if in doubt.

The CREST Codes of Conduct include requirements covering the following headline areas:

• Promotion of Good Practices
• Professional Representation
• CREST Assignments
• Regulations
• Competencies
• Client Interests
• Sanctions
• Ethics
• Responsible Reporting

There are also additional requirements relating to some of the schemes that CREST manage and it is important that CREST Member Companies understand these specific additional obligations.