What is CREST, and why is being CREST accredited so important?
What is penetration testing?
Penetration testing is the intentional execution of attacks on your IT system. they are undertaken by IT professionals, to expose the weak spots in your system’s defences. Penetration tests give a picture of the security vulnerabilities of your website, network and systems.
What is a CREST penetration certificate?
CREST presents the industry standard of practice, service and customer satisfaction. CREST stands for 'Council of Registered Ethical Security Testers
The organisation was initially set up as a response to unregulated penetration vulnerability testing. A lack of regulation led to a lack of uniform methodology and varying outcomes for testing subjects. It is a not-for-profit accreditation body that seeks to establish professional standards for penetration testers. CREST accreditation represents companies that are recognised as offering the highest-quality and most professional network or website penetration testing.
What does it mean to have a CREST certification?
There are three levels of CREST accreditation, all requiring different levels of experience and expertise.
To be recognised as a ‘CREST practitioner professional’, testers must take an entry-level exam and have 2,500 relevant hours of experience. Testers at this level should be able to conduct routine assignments under general supervision.
To be accredited as a ‘CREST registered professional’, testers must take a more extensive set of exams than above. These testing professionals will have 6,000 hours (3 years plus) of relevant and frequent experience and be in a position to undergo testing projects by themselves.
The most prestigious acknowledgement for testers is to be designated a ‘CREST certified professional’. These professionals will have at least 10,000 hours (5 years) of experience. This certification recognises that these testers are capable of running full testing projects independently, as well as managing and coordinating teams.
The benefits of using a CREST accredited member company
Using a CREST certified professional means that you are accessing services that are highly skilled, knowledgeable and competent. To be CREST certified, practitioners must demonstrate that they have met industry standards. Potential CREST certified practitioners must submit ‘policies, processes and procedures’ relating to the services they offer. CREST assesses everything and determines whether they fit the criteria of a CREST member.
An external body should validate pen testers (or testing companies) because they are likely to come into contact with highly sensitive and critical information. After all, the goal of network penetration testing is to see how airtight your company’s security processes are. To put the responsibility of testing your security system to someone untrustworthy would be disastrous.
How do I join CREST?
Firstly, all CREST members are required to sign NDAs. The CREST team will then check company documents such as professional indemnity insurance and contracts. Next, they assess the quality processes and procedures of the individual and their organisation. This includes management of client contracts, complaint handling and conflict of interest policies.
As a member of CREST, the governing body reserves the right to carry out onsite audits of business premises. CREST has stringent standards not only for CREST professionals but also for contractors working with CREST-accredited companies or assisting CREST professionals.