Triskele Labs Blog

What does it mean to have a CREST certification?

Written by Nick Morgan | Sep 3, 2019 10:56:00 AM

As anyone familiar with the cybersecurity industry would know, a CREST certification is telling of the quality of cybersecurity services companies can deliver. CREST -  the Council of Registered Ethical Security Testers - is an international accreditation and certification body, representing and supporting the technical information security industry

As a part of its functions, it recognises organisations and individuals who provide penetration testing, cyber incident response, threat intelligence, and Security Operations Centre (SOC) services - some of the areas of work we specialise in, here at Triskele Labs. 

Continue reading our post to find out what it means for a cybersecurity service provider to possess its own CREST certification.

WHAT ARE CREST’S REQUIREMENTS?

To begin with, companies that want to gain a CREST certification need to prove that consistent standards of service are delivered. For this, there are 4 requirements in place for any member application. These relate to (1) the company’s operating procedures and standards, (2) personnel security and development, (3) approach to testing, and (4) data security. 

All prospective members can apply for membership in any number of the following disciplines:

1. Penetration Testing

2. Cyber Essentials

3. Intelligence-led Penetration Testing

4. Cyber Security Incident Response

5. SOC

Before this process, applicants are encouraged to audit and review their processes to ensure compliance to the fullest degree. 

WHAT’S THE APPLICATION PROCESS LIKE?

The application process begins with an expression of interest. CREST asks applicants to sign a mutual NDA, after which login details are provided to their exclusive membership portal. 

Apart from an actual form that’s required to be filled, in this process, applicants need to provide evidence that they’re compliant with the CREST requirements outlined above. 

Certain documentation including but not limited to a copy of a professional indemnity insurance certificate, a copy of standard compliance certificates, copies of quality assurance and information handling processes, and copies of your complaint handling and conflict of interest policies will be required as part of the application.

CREST then carries out a review of member applications with the information provided. As part of this process, they reserve the right to carry out onsite audits of the company against CREST certification standards. 

What’s unique about this process is that CREST provides each company with feedback, so that any existing issues can be rectified. If a membership application fails to meet these guidelines, supporting evidence is requested for review, before a final decision is made. 

CREST TESTING

Crest certification and accreditation also requires certain testing. To this end, there are a number of tests and evaluations applicant companies must commit to undertaking. The tests will depend on which area each organisation requests membership from.

While applicants are free to use contractors on CREST tests, they must follow CREST standards for conduct and methodology. Contractors must, therefore, agree to follow approved procedures and methodologies of the company to which they are contracted. This must be stated in writing and form part of the contract. 

WHY DO COMPANIES APPLY FOR CREST CERTIFICATION?

With a CREST certification, companies in this industry can demonstrate their competency and consistency when it comes to security services as well as the level of legal and regulatory knowledge. 

Registered penetration testers have the ability to provide solutions in many areas of security, including reliable services that are personalised to the cybersecurity needs of each company. This includes guaranteeing infrastructural security of another company’s systems, testing and validating the preparedness of a company’s technical security staff,  investigating cybersecurity risks, and much more. 

In doing what it does, CREST has been able to establish a standard for service across penetration testing and is a guarantor for cyber-related services in countries including the US, Australia, the UK, Hong Kong, and Malaysia. 

FIND OUT MORE ABOUT CREST CERTIFICATION AND TESTING

CREST certification is a useful accreditation for companies that wish to provide cybersecurity testing and related services. Unfortunately, this process may seem confusing, especially if you’re just starting out.

At Triskele Labs, find out how you can go about receiving your CREST certification without any hassle or uncertainty. With our cybersecurity consultancy services, we provide you with all the support you need.