Setting up a CREST Chapter

CREST actively encourages the creation of new Chapters. As a not for profit organisation, CREST’s mission is to create capability, capacity and consistency within the global technical cyber security industry.  As a consequence, we will provide support and assistance to countries and regions that are focused on building local CREST Chapters.

You can find out details of future CREST chapters here.

What is a Chapter?
A CREST Chapter is effectively a vehicle for promoting and maturing cyber security practices in either a region or a country.

A CREST Chapter is a legal entity in its own right. It may either be a standalone, not-for-profit organisation that has been set up as an individual legal entity, or it may be sub group of another not for profit organisation that already exists within a country. Chapters have a formal Contract with CREST (International) that defines formal roles and responsibilities between the Chapter and CREST.

What makes a Chapter?
CREST is focused on making Chapters sustainable. Although sustainability within regions and countries will be influenced by a number of different factors, some of the key indicators are as follows:

• Government recognition that Cyber Security is a significant area of focus
• Interest from industry regulators. A desire to build cyber security standards that achieve more consistency and maturity within their industry.
• A buying community that actively procure technical cyber security services
• A supplier community that recognise the need to demonstrate skills, capability and experience to industry stakeholders

Chapters have the ability to take a share of the income that is generated by both company memberships and individual exam income that is delivered in country. In return, the Chapters are expected to take responsibility for their business hygiene, including activities such as book keeping, insurance and local data protection requirements. Chapters are expected to promote both membership and examinations themselves and run industry events to communicate to all areas of the stakeholder ecosystem.

Although there are no concrete figures around a minimum number of member companies or Information Security professionals required to build a Chapter, CREST believes that there is a tipping point where sustainability becomes easier to achieve. As a rule of thumb, CREST recommends:

• If there are approximately five suppliers of technical cyber security services within a market, with interest in supporting the creation of a CREST Chapter, then this would indicate a sustainable supplier base.

• If there are approximately 15-20 individuals within a market that are actively involved in the delivery of technical cyber security services and who recognise the value in demonstrating their skills to employers, then this would indicate a sustainable base of individuals.

In every instance, CREST is interested in supporting countries, organizations and even individual cyber security professionals to build and sustain CREST Chapters. We actively encourage dialogue and are keen to help support initiatives that drive consistency across the global cyber security industry.

CREST firmly believes that for a countries Chapter to be both self-sustaining and aligned with the countries cyber security strategy, it is imperative that it has a local board of executives that have responsibility for defining and executing the Chapter’s initiatives. One of the key things that CREST believes is essential is that there is consistency in standards internationally. For example, a red teaming exercise in the UK should mean the same thing as a red teaming exercise in Spain or in Malaysia. Therefore, local Chapters have responsibility to ensure that consistent standards and accreditation goals are maintained internationally. However, local Chapters also have the ability to adapt their focus according to domestic Government and Regulator led initiatives. For instance, in the UK, the NCSC and Cabinet office has promoted Cyber Essentials as a scheme oriented towards UK based SME organisations. It makes sense for the CREST UK Chapter to have the flexibility to adapt to and champion this scheme without an expectation that it has to be rolled out across all global Chapters. In a similar manner, if the Italian government were to define a cyber security initiative for their domestic market, it would make sense for the respective local Chapter to have sufficient autonomy to build approaches and communications tailored to these needs.

Next Steps
To find out more about how CREST can help build localized CREST chapters, please e-mail