Regions icon
Membership & Accreditation icon

Setting up a CREST Chapter

What is a chapter?
A CREST Chapter is effectively a vehicle for promoting and maturing cyber security practices in either a region or a country. It is a legal entity in its own right. Chapters have a formal contract with CREST (International) that defines formal roles and responsibilities.

What makes a chapter?
We are focused on making chapters sustainable. Although sustainability within regions and countries will be influenced by a number of different factors, some of the key indicators are as follows:

  • Government recognition that Cyber Security is a significant area of focus.
    • Interest from industry regulators. A desire to build cyber security standards that achieve more consistency and maturity within their industry.
    • A buying community that actively procure technical cyber security services.
    • A supplier community that recognise the need to demonstrate skills, capability and experience to industry stakeholders.

Chapters have the ability to take a share of the income that is generated by both company memberships and individual exam income that is delivered in country. In return, our chapters are expected to take responsibility for their business hygiene, including activities such as book-keeping, insurance and local data protection requirements. Chapters are expected to promote both membership and examinations themselves and run industry events to communicate to all areas of the stakeholder ecosystem.

Although there are no concrete figures around a minimum number of member companies or Information Security professionals required to build a chapter, we believe that there is a tipping point where sustainability becomes easier to achieve. As a rule of thumb, we recommend:

  • If there are approximately five suppliers of technical cyber security services within a market, with interest in supporting the creation of a CREST Chapter, then this would indicate a sustainable supplier base.
  • If there are approximately 15-20 individuals within a market that are actively involved in the delivery of technical cyber security services and who recognise the value in demonstrating their skills to employers, then this would indicate a sustainable base of individuals.

In every instance, we are interested in supporting countries, organizations and even individual cyber security professionals to build and sustain CREST Chapters.

We firmly believe that for a chapter to be both self-sustaining and aligned with a country’s or region’s cyber security strategy, it is imperative that it has a local board of executives that have responsibility for defining and executing the chapter’s initiatives. One of the key things that CREST believes is essential is that there is consistency in standards internationally.

For example, a red teaming exercise in the UK should mean the same thing as a red teaming exercise in Spain or in Malaysia. Therefore, local Chapters have responsibility to ensure that consistent standards and accreditation goals are maintained internationally.

However, local chapters can also adapt their focus according to domestic government and regulator led initiatives. For instance, in the UK, the NCSC and Cabinet Office has promoted Cyber Essentials as a scheme oriented towards UK based SME organisations. It makes sense for the CREST UK Chapter to have the flexibility to adapt to and champion this scheme without an expectation that it has to be rolled out across all global chapters.

Future chapters

CREST in the GCC Region
We have as visited the Middle East on a number of occasions to support the development of new markets for UK technical security companies.  These visits have been very successful and included formal presentations to major banking institutions and regulators.

We are now working towards establishing a CREST Chapter in the Middle East, building on the recent success of a new chapters established in Asia and the European Union.  This will provide a focal point and foundation for building a bigger and stronger market for UK companies and help to mature Middle East cyber security capability and capacity.

CREST in Malaysia
A Memorandum of Understanding has been signed between CREST and Persatuan Penguji Keselamatan Siber Kuala Lumpur, Selangor dan Putrajaya (“PPKS”) to establish a CREST Chapter in Malaysia.

The partnership between the two organisations will help to pave the way for industry in Malaysia to provide greater assurance on the quality of services provided by penetration testers, benchmarked against international standards. It also enables the sharing of international industry expertise and experience with local providers and cyber security individuals that will further boost the development of a sustainable pool of local talent that will support the nation’s security industry.

CREST Malaysia will provide greater capability, capacity and consistency within the domestic cyber security market and will strengthen export opportunities.

Interested in exploring opportunities for a new CREST Chapter?
To find out more about how CREST can help build localized CREST chapters, please e-mail [email protected]

Americas Asia Australasia EMEA United Kingdom