Publications, Procurement Guides & Research Projects

CREST is committed to supporting all sectors of the technical information security industry by providing guidance material and commissioning research projects.  The CREST material currently available is listed below.


CREST and NCA Cyber Crime Report
CREST member companies met the National Crime Agency’s National Cyber Crime Unit (NCA NCCU) to assist in their efforts to prevent young people being tempted to participate in illegal online activities. The discussion paper is now available. Read more

Closing the Gender Gap in Cyber Security
CREST releases report exploring the reasons behind the lack of gender diversity in cyber security and looking at ways to drive change. Read more and download the report

GCSE Reform: A New Dawn of Computer Science
CREST members met with the examinations board AQA to discuss cyber security and GCSEs.  This discussion paper stems from the discussions at that workshop and has been shared with the Government.  You can download the paper here: CREST GCSE Reform

Digital Defenders careers guide – Reasons to work in cyber security
Working with the Cabinet Office, CREST has developed a careers guide and interactive PDF for school children who may want to consider a career in cyber security.  Please download from the following link and view in Acrobat for the best experience: Digital Defenders

If you would like printed copies of the guide, please contact [email protected]


CREST has produced implementation Guides for CBEST and Cyber Essentials.  Please click on the links below to download the Guides:

Further information on these two schemes are available:  Click here for information on CBEST and here for the Cyber Essentials scheme.

CREST have completed research projects into both Penetration Testing and Cyber Security Incident Response and guides to assist organisations procuring these services have been published.

Penetration Testing Procurement Guides
The CREST Penetration Testing Services Procurement Guide is aimed at the buying community, ie. organisations that need penetration testing services, and provides practical advice on the purchase and management of penetration testing services, helping you to conduct effective, value for money penetration testing.  It is designed to enable your organisation to plan for a penetration test, select an appropriate third party provider and manage all the important related activities.

An Introduction to this Guide aimed at helping suppliers of Penetration Testing services assist their potential clients when determining the essential criteria to be applied when choosing an appropriate supplier is also available and details can be found here.

Cyber Security Incident Response Guides
The CREST Cyber Security Incident Response (CSIR) Procurement Guide provides details on how to handle cyber security incidents in an appropriate manner and offers practical advice on how to prepare for, respond to and follow up an incident in a fast and effective manner.  The purpose of the Guide is to help improve the buying process for current and potential buyers of CSIR services and to help the buying community meet the range of different requirements for responding to a cyber security incident, based on their type of organisation.  This Guide will help you achieve the best response for your circumstances.

The CREST Cyber Security Incident Response (CSIR) Supplier Selection Guide helps the buying community understand the benefits of using external suppliers, determine which activities should be outsourced, define criteria upon which to base selection of a suitable supplier and provides guidance on appointing suitable third party experts.  It provides practical advice on the procurement of CSIR services and investigates the primary considerations for a buyer when weighing up the benefits of outsourcing their CSIR capabilities.

In support of the work on cyber security incident response, a maturity assessment tool has been developed to enable assessment of the status of an organisation’s cyber security incident response capability.  The tool helps to measure the maturity of a cyber security incident response capability on a scale of 1 (least effective) to 5 (most effective).  The tool is powerful, yet easy to use and consists of two different spreadsheets, enabling assessments to be made at either a summary or detailed level.  Further details are available here.

Cyber Security Monitoring and Logging
The CREST Cyber Security  Monitoring and Logging Guide explains what organisations need to do when monitoring and logging cyber security events.  The Guide focuses on proactive measures that will make organisations more difficult to attack and help them to reduce the frequency and impact of cyber security incidents, including sophisticated cyber security attacks.  Further details are available here.

COMING SOON – Industrial Control Systems:  Technical Security Assurance Requirements
CREST has recently initiated a new research project to produce a Guide that will provide organisations with a pragmatic approach to identifying and meeting their Industrial Control System (ICS) technical security assurance requirements.  This project, which is supported by CPNI / CESG, will focus on the testing of controls and other measures that are needed to provide assurance over the security of ICS.  It will help organisations determine what they need to do, the best approach to take, and where to go for the right kind of help.

Whilst there is a proliferation of best practice frameworks and technology standards for securing ICS, there is very little to bring it all together easily and effectively for the Buying Community.  The main objective for this project is to provide organisations with a pragmatic way of determining their own industrial control security requirements and procuring any required assurance services from third party experts.

Other research projects are planned in the near future and information will be made available on this page in due course.


If you have any questions or require further information, please email [email protected]