When searching for a penetration test, you need to have complete confidence in the credentials of your chosen assessment provider.

CREST accreditation is a good place to start – a ‘stamp of approval’ for a high-quality penetration test. But what does it mean to be CREST-approved, and what differentiates CREST penetration testing from other assessments? Read on to find out.

 

What is penetration testing?

Penetration testing (also referred to as pen testing) is a type of ethical hacking engagement designed to identify and address security vulnerabilities in networks, systems and applications. The scope and scale of a test will vary depending on the buyer’s requirements, but not all penetration testing companies work to the same standards, and there can be an inherent risk in allowing a provider to access important assets and data.

CREST penetration test is an assessment conducted by a CREST-registered penetration tester. CREST certification demonstrates that a pen testing company conducts and documents penetration testing in accordance with the highest legal, ethical and technical standards.

 

Who is CREST?

The Council for Registered Ethical Security Testers (CREST) is an international not-for-profit accreditation and certification body which represents and supports the technical information security market. CREST certification is an internationally recognised accreditation for organisations, as well as a professional level certification for penetration testers, as well as providers of other services such as cyber incident responsethreat intelligence and Security Operations Centre (SOC) services. To achieve CREST certification, companies must undergo a rigorous assessment of business processes, data security and security testing methodologies.

 

What is a CREST-certified company?

All CREST members are required to submit policies, processes and procedures relating to their service provision to CREST for assessment. Achieving and maintaining CREST certification is an ongoing process rather than a one-time step – member organisations are required to submit an application annually, with a full reassessment required every three years.

Each CREST member company signs up to a binding and enforceable company code of conduct, a mandate that includes processes for resolving potential complaints.

 

Why choose a CREST-accredited pen testing provider?

“There are many benefits in procuring penetration testing services from a trusted, certified external company who employ professional, ethical and highly technically competent individuals. CREST member companies are certified penetration testing organisations who fully meet these requirements, having been awarded the gold standard in penetration testing, building trusted relationships with their clients.” – CREST

CREST-certified pen testing services provide assurance that the entire pen testing process will be conducted to the highest legal, ethical and technical standards. The CREST pen testing process follows established best practices in key areas such as scoping, reconnaissance, preparation, execution, technical delivery, reporting and data protection.

GET A QUOTE TODAY

 

CREST penetration testing benefits

CREST-accredited pen testing offers several advantages, including:

1. Highly trained security experts

CREST penetration testing is carried out by, or at least supervised by, CREST-registered penetration testers. CREST-registered or certified penetration testers are required to pass a series of rigorous exams to prove their skill, knowledge and competence and must re-sit them every three years. CREST pen testers also have to complete between 6,000 hours (CREST-registered) and 10,000 hours (CREST-certified) of professional pen testing experience.

2. Improved customer assurance

Organisations are often tasked by their customers to demonstrate the security and safety of their confidential data. Using a CREST-accredited penetration testing provider enables them to prove that they are adhering to security best practices to protect their data. Commissioning a CREST member company may also provide a commercial advantage when bidding for contracts.

3. Supports regulatory compliance

A CREST pen test supports information security requirements such as the GDPRDPA 2018ISO 27001NIS Regulations and PCI DSS. Some of these standards directly specify that a penetration test must be conducted, while others do so indirectly via the requirement to assess and evaluate the effectiveness of technical and organisational controls. Learn more about the requirements for penetration testing in our compliance guide.

4. Globally recognised accreditation

CREST is UK-based, but its accreditation is valid and recognised around the world. This provides valuable assurance for companies with a global presence or for those working with overseas customers. Using a pen testing provider which lacks accreditation or whose certification is limited to the UK may limit outcomes and credibility.

5. Up-to-date expertise

The threat landscape is in a state of flux, with new threats constantly appearing, so pen testing programs need to keep pace. To ensure that adversarial knowledge is kept up to date, the organisational and individual CREST certification process is repeated periodically. Member organisations are regularly updated by CREST about the latest developments in technical information assurance and participate in member workshops and events.

GET A QUOTE TODAY

 

Why choose Kroll for CREST penetration testing?

Crest icons

Kroll is an award-winning provider of cyber security penetration testing services, conducting over 100,000 hours of security assessments every year. With over 100 security qualifications, including CREST CRT, STAR, CC SAM and many more, we’re one of the highest accredited security companies in the business. Our range of CREST penetration testing engagements helps organisations to effectively manage cyber security risk by identifying, safely exploiting and helping to remediate vulnerabilities.

Our global team of pen testers experts have extensive experience of working with organisations of all sizes, across a wide range of industries. Our Chief Research Officer, Mark Nicholls, was awarded a prestigious lifetime CREST Fellowship Award in 2019 in recognition of his outstanding level of commitment to the profession and achieving the highest level of excellence in CREST examinations.

In January 2020, Redscan became one of only a few organisations worldwide to achieve CREST SOC accreditation.

Leave a Reply

Your email address will not be published. Required fields are marked *