Benefits of using a CREST member company
Anyone with a computer and an Internet connection can set themselves up as a penetration testing or cyber incident response service provider. These could include irresponsible organisations that do not have in place policies, processes and procedures to ensure quality of service and protection of client based information. The individuals employed by these companies may have no demonstrable skill, knowledge or competence but an impressive CV. This makes the procurement of these important services difficult and problematic.
Assurance for Buyers
The buying community needs to be in a position where it can procure services from a trusted company with access to demonstrably professional technical security staff. CREST provides the buying community with a clear indication of the quality of the organisation and the technical capability of staff they have access to, including:
• Access to trusted service organisations utilising highly skilled, knowledgeable and competent individuals
• Procurement support
• Industry benchmarks
• rigorous application process for added assurance
All CREST member companies have submitted policies, processes and procedures relating to their service provision to CREST providing added assurance for buyers. These policies, processes and procedures have been assessed by CREST and have been deemed fit for purpose and include:
• Certified individuals
• Language capability
• Assignment preparation & scope
• Assignment execution
• Technical Methodology
• Tools & resources
• Event analysis & response
• Data Storage and Transmission Controls
• Information sharing
• Post technical delivery
• Asset/Information/Document Storage, Retention and Destruction
You can see here the specific requirements that we review against each discipline here:
Additional assurances include:
• References for each of the CREST disciplines that must relate to the activities of the discipline;
• All member companies sign up to enforceable a Code of Ethics and Codes of Conduct describing the standards of practice expected of CREST member companies.
The CREST Service Selection Platform also allows buyers to select suppliers with the appropriate CREST qualified staff to match individual assignment requirement(s).
CREST members are required to re-submit an application every year and a full re-assessment is required every three years to ensure currency. The CREST member company signs up to a binding and enforceable company code of conduct that ties them to their CREST submission. They also agree to align their complaints process with that of CREST. This forms the basis of any Complaint and Resolution Measures.
CREST Certified professionals have passed an industry recognised set of examinations to test their skill, knowledge and competence. These individuals will typically have at least 10,000 hours (5 years plus) regular and frequent experience. These individuals are capable of working independently, running full testing programmes and managing and co-ordinating teams.
CREST Registered professionals have passed an industry recognised set of examinations to test their skill knowledge and competence. These individuals will typically have at least 6,000 hours (3 years plus) relevant and frequent experience and be in a position to work independently on assignments.
CREST Practitioner professionals have achieved the entry level exam into the profession and and typically have around 2,500 hours relevant and frequent experience and are capable of conducting routine assignments under general direction.
CREST qualifications have been reviewed and endorsed by Governments and Regulators.
All CREST qualified professionals have to re-sit the examinations every three years.
All those holding a CREST qualification have signed a personal code of conduct. This ensures that they act in an ethical manner and adher to the policies, processes and procedures of the CREST Member company they are working for.
CREST also produce independent research and publications designed to support the buying community.
The combination of independently assessed companies with access to professionally qualified staff underpinned by effective and meaningful Codes of Conduct provide the buying community with confidence in the services that they wish to procure.