How to join CREST
How to join CREST
In accordance with CREST’s stated aim “to increase professionalism in the security testing industry”, CREST places requirements on member companies in order to ensure that consistent standards of services are delivered.
The requirements fall into 4 main areas:
- Company operating procedures and standards
- Personnel security and development
- Approach to testing
- Data security
Prior to applying to join CREST, prospective member companies are encouraged to review the requirements documents and ascertain their compliance status.
Prospective CREST Member Companies can apply for membership in any or all of the following disciplines:
- Penetration Testing
- Cyber Essentials (to become a CREST accredited Certifying Body)
- Simulated Targeted Attack and Response (STAR)
- Threat Intelligence
- Cyber Security Incident Response
The company membership application form is a comprehensive form requiring a prospective member company to provide evidence that they are compliant with the various CREST requirements.
During the application process, we will require copies of the certain documents. These include:
- Copy of a professional indemnity insurance certificate or company letter confirming level professional indemnity insurance.
- Depending on the discipline being applied for, a copy of a sample contract including terms and conditions.
- Copy of any standards compliance certificates (e.g. ISO27001, ISO9001).
- Copies of your Quality and Information Security processes.
- Copies of your Complaint Handling and Conflict of Interest policies.
Please consult our Frequently Asked Questions document regarding completion of the application form. Please note that all supporting documentation must be emailed to CREST for audit.
Prospective Member Evaluation
CREST carries out a thorough review of your application based on the information provided in your application forms and supporting documentation. CREST reserves the right to carry out an onsite audit of your company against the CREST standards.
Feedback will be provided to your point of contact during the review processs that any issues may be resolved.
In the event of a membership application not meeting the guidelines, further supporting evidence will be requested for review, prior to a decision being made.
Start Date and Duration of Membership
Your point of contact will be notified when your application has been approved. Your membership will start from the first of the next calendar month after notification and will be valid for one year. This is subject to receipt of any outstanding documentation and payment of your annual membership fee.
At the start of your membership, a certificate will be sent to the point of contact provided in your application form and your company details will be posted on this website based on the details provided within your application documentation.
Use of Contractors for CREST tests
CREST does not prohibit the use of contractors on CREST tests. However, it is essential that all members engaged in a CREST test follow CREST standards for conduct and methodology and attestation to this is included in the membership application form.
To this end we require that contractors agree to follow the CREST approved procedures and methodologies of the company to which they are contracted. This must be agreed in writing and form part of the contract, along with any further conditions as required by the end client.
Full details are available from [email protected].
Annual membership fees will be applied as follows:i) £5,000 pa for membership of one country Chapter
ii) £7,000 pa for membership of one region and any of its associated country Chapters
iii) £25,000 pa for global membership (all regions and associated country Chapters)
Recognition for member companies will be as follows (respectively):
i) Identified as a member of that country (only)
ii) Identified as a member of that region and of individual countries within that region
iii) Identified as a global operator
As an illustration:
- ABC Company Ltd – UK based only, delivering services only in UK. Subscription £5,000
- DEF Company Ltd – UK based with ability to deliver across EMEA. Region = EMEA. Subscription £7,000
- FGH Company Ltd: UK based with ability to deliver across EMEA, plus Singapore secondary with ability to deliver in Singapore but not wider Asia market. Subscription £12,000 (= EMEA @ £7,000 plus Singapore only @ £5,000)
- RST Company Ltd – UK based with ability to deliver across EMEA plus, Singapore secondary with ability to deliver across Asia. Regions = UK & Asia. Subscription £14,000
- XYZ Company Ltd – operations in UK, Germany, Spain, USA, Singapore & Australia. Region = global. Subscription £25,000
Subscriptions are based on a member company’s area of operation in a country or region and associated with an address (ie. an office). Member companies are invited to choose which countries and regions they wish to be attached to. The most a company will have to pay is £25,000 per annum to be attached to all CREST Chapters in all regions around the world. The definition of CREST’s membership regions is available here.
Existing Members have the opportunity to add Chapter membership to their subscription at any time during their membership and the additional membership fee will be pro-rated to co-term with the company’s annual membership renewal date.
There is a £750 assessment fee for company membership. This includes all support and liaison with CREST regarding the application. The fee will cover your application to all disciplines chosen. There is no discount for applying for only one membership discipline.
For existing CREST member companies, an administration fee of £500 will be payable for the addition of disciplines after the original application.
CREST reserves the right to conduct a full assessment every three years requiring a full re-submission of all documents. If called for, there will be an assessment fee of £750 for this.
Please note that VAT will be applied, where applicable, to all fees.
Applying for CREST company membership
If you wish to become a CREST member company please register your interest by emailing [email protected].
CREST membership must be renewed on an annual basis. Your point of contact will be sent a renewal reminder by email at least two months’ in advance of the renewal date.
You will be asked to complete your renewal on the CREST Membership Portal. You will have to complete the CREST renewal form and supply the supporting documentation requested, as well as re-signing the CREST Code of Conduct.
CREST carries out a thorough review of your renewal based on the information provided. CREST reserves the right to carry out an onsite audit of your company against the CREST standards. Once approved, the annual membership fee will be payable.
There are no administration fees payable for annual renewal of your CREST membership.