A Guide to CREST Penetration Testing
Posted by Peter Bassill on 23/12/2019
What is CREST penetration testing?
When procuring a penetration test, it's essential to have complete confidence in the provider you choose to perform the assessment.
CREST is the Council of Registered Ethical Security Testers and is an independent governing body for regulated penetration testing companies. CREST accreditation is a very well established 'stamp of approval' for a high-quality penetration test.
Penetration testing is a security testing (sometimes called ethical hacking) engagement. Its purpose is to identify and classify the risk level of security vulnerabilities in networks, systems and applications. Pen testing takes different forms, such as web applications, external infrastructure or wireless pentesting, and can cover many areas.
A CREST penetration test can only be performed by a CREST accredited company. The penetration tester performing the work must be at least a CREST registered tester. CREST accreditation demonstrates that a company runs and documents penetration testing following the highest legal, ethical and technical standards. CREST accredited companies should be ISO9001 certified for quality management and ISO27001 certified for Information Security. All CREST accredited companies sign a global code of conduct.
Who or What is CREST?
CREST is the Council for Registered Ethical Security Testers. It is an international not-for-profit accreditation and certification body that represents and supports the technical information security market. CREST provides internationally recognised certification for organisations and professional level certification for individuals who provide penetration testing and other services such as vulnerability scanning services. Achieving CREST accreditation means a company must undergo a rigorous assessment of their business processes, data security and security testing methodologies.
What is a CREST-certified company?
Every CREST member company must lay bare their internal workings. As part of the accreditation process, the company must provide policies, processes and procedures relating to their services. And this is not just a complete once process. Maintaining CREST certification means reapplying annually, with a full reassessment required every three years.
Why choose a CREST accredited provider for pen testing?
According to CREST themselves in their industry procurement guide, "There are many benefits in procuring penetration testing services from a trusted, certified external company. CREST member companies employ professional, ethical and highly technically competent individuals."
Using a CREST accredited provider for pentesting services means the entire testing process will adhere to the highest legal, ethical and technical standards. The CREST penetration testing process follows best practices in critical areas such as preparation & scoping, assignment execution, post technical delivery and data protection.
What are the benefits of CREST accredited testing?
CREST accredited pentesting offers many advantages, including:
Highly trained security professionals
CREST registered penetration testers carry out CREST penetration testing. CREST registered or certified penetration testers must pass a series of rigorous exams to prove their skill, knowledge and competence and re-sit them every three years.
Improved customer assurance
Clients ask (or should be asking) pentesting firms to demonstrate the security and safety of their data to their customers. Using a CREST accredited penetration testing provider ensures that the chosen provider adheres to security best practices to protect their data. Using a CREST provider will often also assist in tendering and is often used as a marketing tool.
A CREST penetration test can be used for many things, but often it is to support information/cybersecurity requirements. These requirements include ISO 27001, the GDPR and the Data Protection Act (DPA), the Network and Information Systems Directive & Regulations (NIS Regulations) and for online retailers, the Payment Card Industry Data Security Standard (PCI DSS).
Globally recognised accreditation
CREST accreditation is valid and recognised worldwide, providing valuable assurance for companies with a global presence or those working with overseas customers. Using a non-regulated pentesting provider may determine outcomes and credibility.
The threat landscape is constantly changing. Ensuring knowledge is kept up to date is a never-ending challenge. Every CREST member company and the certified individual must regularly recertify to maintain their status.
What does a CREST Penetration Test Cost?
The cost of a CREST Penetration Test varies significantly depending on the scope of what is being tested, but as a baseline we can test around 20 IP addresses per day. A CREST Penetration Tester costs £950 plus VAT per day.