CREST provides commercially defensible scoping, delivery and sign-off recommendations for penetration tests
1 AUGUST 2022: CREST, the international not-for-profit, membership body representing the global cyber security industry, has announced the release of its CREST Defensible Penetration Test, a specification that provides recommendations on how penetration tests should be scoped, delivered and signed off. With significant growth in the numbers of penetration tests being carried out around the world, the need to define best practice has become increasingly important. CREST has worked alongside industry recognised and peer-selected experts to define a minimum set of expectations associated with a penetration test.
CREST Defensible Penetration Test
The guidance focuses on defining a CREST Defensible Penetration Test and is designed to help service providers and their clients to work more effectively together to conduct penetration tests.
“A CREST Defensible Penetration Test provides flexibility built around a minimum set of expectations that will drive better outcomes for buyers across the globe,” explained Rowland Johnson, CREST President. “It provides the industry with a much needed commercially defensible assurance activity that is appropriately scoped, executed and signed off.”
Across the globe it is widely acknowledged that the definitions, practices and expectations associated with a penetration test are inconsistent and fluid. This makes it difficult to define or parameterise a series of activities that looks at all possible requirements, engagements or scenarios. For example, a penetration test may need to assess a mobile phone at one end of the spectrum or an aircraft carrier at the other.
This new CREST guidance provides a best practice framework for penetration test defensibility and an assurance of penetration tester competence. It will help organisations that are looking to procure penetration testing services and organisations that deliver penetration testing services.
Only when the following three elements are satisfied, will the CREST Defensible Penetration Test be commercially defensible:
- The need for penetration testing service providers to have appropriate policies, procedures, practices and methodologies
- The need for all individuals involved in a penetration test to have appropriate levels of skills, experience and competency
- The need for penetration testing service providers and the individuals conducting the assessment to work towards a defined and agreed test specification
More information on the CREST Defensible Penetration Test is available at: Implementation & Procurement Guides – CREST (crest-approved.org)
CREST is an international not-for-profit, membership body representing the global cyber security industry. Its goal is to help create a secure digital world for all by quality assuring its members and delivering professional certifications to the cyber security industry.
CREST accredits almost 300 member companies, operating across dozens of countries, and certifies thousands of professionals worldwide. It works with governments, regulators, academe, training partners, professional bodies and other stakeholders around the world.
CREST members undergo a rigorous quality assurance process and employ competent professionals. Organisations buying their cyber security services from CREST members do so with confidence.
For more information contact: email@example.com, +44 (0)1442 245020