Council of Registered Ethical Security Testers `

Penetration testing is a widely accepted method of assuring information security and has become an integral part of many organisations’ operational and technology risk management programs. Yet despite the widespread use of penetration testing, there has historically been a definite lack of agreed standards and practices.

CREST (Council of Registered Ethical Security Testers) was created in response to the need for regulated and professional security testers to serve the global information security marketplace. CREST’s main aim is to represent the information security testing industry and offer a demonstrable level of assurance as to the competency of organisations and individuals within those approved companies.

CREST is a standards-based organisation for penetration test suppliers incorporating a best practice technical certification programme for individual consultants. Additionally CREST provides its members with a framework of guidance including standards, methodologies and recommendations aimed at ensuring the very highest standards of leading-edge security testing.

The Foundation of CREST

Formed in order to provide the commercial marketplace a level of assurance on the vendors and services they are contracting, CREST’s mission includes:

- Providing current and relevant information regarding new technologies and methods for those utilising IT security testing in their technology risk programs

- Establishing and maintaining a standard of capability by which individuals and organisations performing IT security testing may be validated

- Maintaining and publishing a register of those accredited organisations and individuals who have met the CREST standard for competency and ethics

Why Use CREST?

The difference with CREST is that it is not simply another qualification of individual abilities. It has been designed to offer a complete framework for member organisations so that those who contract a CREST member organisation to perform IT security testing can be certain that a highly rigorous methodology-based approach to testing exists, covering a range of methodologies, technical expertise, staff vetting, an ethical approach and a legal understanding.

As opposed to other “ethical hacker” certifications, which are pure qualifications, CREST is an industry body supported by bodies such as CESG and CPNI.

It is within this comprehensive framework that CREST offers career progression and certifications for individual consultants and penetration testers. Additionally organisations are only granted member status to CREST whilst upholding the rigorous standards that CREST mandates.

To ensure impartiality, a number of key organisations have agreed to join an Industry Advisory Panel (IAP) which will help guide the standards and methodologies for member organisations.

IT Security Testing has reached a pivotal point as more people recognise its importance. As it is now considered critical, many different bodies may attempt to define standards, codes of conduct and ethics; CREST’s goal is to provide a kite mark for customers seeking security testing providers with high levels of skills, ethics and standards.

About CREST

CREST is a non profit organisation and is governed by a formal Memorandum of Association (MOA) as a company limited by guarantee. Under this MOA, companies are invited to join a trade association as members, subject to certifying that they meet the minimum standards of ethics, methodologies, and technical capability.

In contracting a CREST member organisation to perform a security test, a client can feel secure in the knowledge that the work will be carried out to rigorous standards by qualified, knowledgeable individuals.

For a list of member organisations as well as further information regarding CREST, please visit their website at www.crest-approved.org or email them at info@crest-approved.org