Publications, Procurement Guides & Research Projects

CREST is committed to supporting all sectors of the technical information security industry by providing guidance material and commissioning research projects.  The CREST material currently available is listed below.


CREST and NCA Cyber Crime Report
CREST member companies met the National Crime Agency’s National Cyber Crime Unit (NCA NCCU) to assist in their efforts to prevent young people being tempted to participate in illegal online activities. The discussion paper is now available. Read more

Closing the Gender Gap in Cyber Security
CREST releases report exploring the reasons behind the lack of gender diversity in cyber security and looking at ways to drive change. Read more and download the report

GCSE Reform: A New Dawn of Computer Science
CREST members met with the examinations board AQA to discuss cyber security and GCSEs.  This discussion paper stems from the discussions at that workshop and has been shared with the Government.  You can download the paper here: CREST GCSE Reform Report

Digital Defenders careers guide – Reasons to work in cyber security
Working with the Cabinet Office, CREST has developed a careers guide and interactive PDF for school children who may want to consider a career in cyber security.  Please download from the following link and view in Acrobat for the best experience: Digital Defenders

If you would like printed copies of the guide, please contact [email protected]

Cyber Security Careers Guide
CREST has developed a careers guide for University students considering a career in cyber security.  Read more and download the Guide…


CREST has produced implementation Guides for CBEST and Cyber Essentials.  Please click on the links below to download the Guides:

Further information on these two schemes are available:  Click here for information on CBEST and here for the Cyber Essentials scheme.

CREST have completed research projects into both Penetration Testing and Cyber Security Incident Response and guides to assist organisations procuring these services have been published.

Penetration Testing – A guide for running an effective Programme
CREST’s Penetration Testing Guide provides practical advice on the establishment and management of a penetration testing programme, with advice on how to conduct effective, value-for-money penetration testing as part of a technical security assurance framework.  It is designed to enable organisations to prepare for penetration tests, conduct actual tests in a consistent, competent manner and follow up tests effectively.

The Guide presents a useful overview of the key concepts that need to be understood to conduct well-managed penetration tests, explaining what a penetration test is and is not, outlining its’ strengths and limitations, and describing why an organisation would typically choose to employ an external provider of penetration testing services to help with planning for and undertaking tests effectively, ensuing that vulnerabilities are identified and remediated.

To support these procurement guides and to ensure the effectiveness of any penetration testing programme, CREST has developed a suite of maturity assessment tools to ascertain the status of a pentesting programme against an industry standard scale.  Further details including a guide to the tools and the tools themselves can be found here.

Cyber Security Incident Response Guides
The CREST Cyber Security Incident Response (CSIR) Procurement Guide provides details on how to handle cyber security incidents in an appropriate manner and offers practical advice on how to prepare for, respond to and follow up an incident in a fast and effective manner.  The purpose of the Guide is to help improve the buying process for current and potential buyers of CSIR services and to help the buying community meet the range of different requirements for responding to a cyber security incident, based on their type of organisation.  This Guide will help you achieve the best response for your circumstances.

The CREST Cyber Security Incident Response (CSIR) Supplier Selection Guide helps the buying community understand the benefits of using external suppliers, determine which activities should be outsourced, define criteria upon which to base selection of a suitable supplier and provides guidance on appointing suitable third party experts.  It provides practical advice on the procurement of CSIR services and investigates the primary considerations for a buyer when weighing up the benefits of outsourcing their CSIR capabilities.

In support of the work on cyber security incident response, a maturity assessment tool has been developed to enable assessment of the status of an organisation’s cyber security incident response capability.  The tool helps to measure the maturity of a cyber security incident response capability on a scale of 1 (least effective) to 5 (most effective).  The tool is powerful, yet easy to use and consists of two different spreadsheets, enabling assessments to be made at either a summary or detailed level.  Further details are available here.

Cyber Security Monitoring and Logging
The CREST Cyber Security  Monitoring and Logging Guide explains what organisations need to do when monitoring and logging cyber security events.  The Guide focuses on proactive measures that will make organisations more difficult to attack and help them to reduce the frequency and impact of cyber security incidents, including sophisticated cyber security attacks.  Further details are available here.

Industrial Control Systems:  Technical Security Assurance Requirements
The CREST Industrial Control Systems Position Paper presents the findings from a CREST project on the Technical Security Assurance of Industrial Control Systems (ICS).  This document is based on detailed research and includes insights, commentary and analysis garnered from subject matter experts through:

If you have any questions or require further information, please email [email protected]


If you have an idea for a subject that CREST could consider conducting research into, please let us know by emailing [email protected].  Other research projects are planned in the near future and information will be made available on this page in due course.

If you have any questions or require further information, please email [email protected]