Penetration Testing was born from murky beginnings, with hackers taking the wise move to avoid prosecution and instead turning their skills into a business opportunity. From this came the regulation requirement, with standardisation and rigorous certification requirements now the norm.
A wide range of specialist certifications have evolved in the last few years, offering customers much-needed reassurance, service guarantees and adherence to industry-standard best practices.
But how do you know which one(s) to choose from?
In this article, we will examine a few specific qualifications to help you determine which certifications are applicable to you and your industry. Firstly, there is CREST.
CREST Certification for Penetration Testing
CREST (www.crest-approved.org) is the most recognised certification available and is widely applicable to information security professionals, regardless of specialism. CREST is actually an acronym for The Council of Registered Ethical Security Testers, and the standard qualification comes in three flavours: Practitioner, Registered and Certified.
While each level is naturally demanding, they are designed to span from entry-level qualifications for those looking to join the industry to exams that set the bar for experienced, senior security professionals.
CREST certifications help to ensure standards of methodology and performance across various Penetration Testing providers, be they individual contractors or established cyber security companies. Their ubiquity in the marketplace has meant that CREST certification has become the de facto gold standard, increasingly becoming a mandatory requirement in bidding for public sector contracts and key private sector industries.
For any 'typical' pen testing requirement, CREST would be a necessary certification to insist on.
It’ll reassure you that your organisation’s network will be tested using the latest techniques, but simultaneously with maximum attention paid to operational safety concerns whilst undergoing testing.
ISO 27001 - The Information Security Standard
ISO 27001 is the key information security standard from the International Standards Organisation (ISO). Holders of ISO 27001 will have passed a strict audit that puts information security responsibility under senior management control. This standard is intended to reassure potential customers that their procedures for handling sensitive data meet their demanding standards.
It really is worth taking into account because the security firm you engage will handle sensitive data relating to your security capabilities and vulnerabilities inherent to your organisation. So, ask questions about the data handling of any potential Penetration Testing provider.
ISO 27001 is now so commonplace across almost every sector that if a potential provider doesn’t have it, it might be worth asking why!
CBEST (by CREST) For Important Financial Institutions
Moving onto more specialist qualifications, CREST runs an accreditation program administered with the Bank of England, CBEST.
CBEST is an industry-leading scheme designed to ensure that the critical systems that make up the nation’s financial infrastructure are tested in the most arduous manner possible, yet still safely. CBEST is much wider-ranging than traditional Penetration Testing, and takes a holistic approach that encompasses people, technology and processes, starting with a threat intelligence-led approach. However, it’s relatively new to the marketplace, so don’t rule out an experienced Penetration Testing professional just because they’re not CBEST-approved.
CHECK - For Government Departments & CNI
With yet another C-acronym, CHECK is a government scheme administered by the National Cyber Security Centre (NSCS) and is designed specifically for government departments and Critical National Infrastructure (CNI) - think nuclear power stations, the electricity grid, telephony systems and airports.
Key requirements include basic security clearances and vetting by the National Cyber Security Centre to assess technical proficiency.
TIGER Scheme
The TIGER Scheme is similar to the CREST accreditation and has similar technical requirements to the CHECK scheme. On successfully passing the TIGER exams, the National Cyber Security Centre will confer CHECK status on an applicant.
The TIGER scheme is set up and administered by the University of South Wales. Although its popularity has recently dipped slightly, it is still a well-respected and common accreditation.
PCI DSS Penetration Testing - For The Payment Card Industry (PCI)
You’ll often see PCI DSS compliant, and if you deal with payment card processing, this is a requirement.
The Payment Card Industry (PCI) Data Security Standards (DSS) are intended to regulate the security of those handling sensitive payment data. They train security professionals to become Qualified Assessors and/or Approved Scanning Vendors.
These are the two certifications you'll look for in companies that need to audit their PCI compliance.
CREST STAR - 'Simulated Target Attack & Response' (Red Teaming)
Lastly, CREST STAR is a really interesting scheme, again administered by CREST, providing accreditation for companies offering Red Teaming services - a simulated attack, which provides the toughest test from a team of experienced ethical hackers - hence it is a couple of levels up from what would normally happen during a regular Penetration Test.
STAR stands for Simulated Target Attack and Response and lays out a comprehensive set of standards and best-practice guidelines for red-teaming exercises.
So there it is. As you can see, there are a couple of certifications that would be "required." Then there are a number of specialist certifications designed to meet industry requirements or highly advanced demands.
But you should be clear that an ongoing vulnerability management programme, which includes Pen Testing (across the different types of Penetration Tests), is essential to identify critical vulnerabilities before they are exploited for real.
View a FREE Sample Penetration Test Report
Look at a sample risk-based report to understand the approach, critical security intelligence and actionable steps with our CREST-certified Penetration Tests.
Further Reading
- What are the types of Penetration Test? What’s the difference?
- Questions to ask your Pen Test provider
- On-demand webinar: How to develop security vulnerability management programmes
- The difference between a Vulnerability Scan and a Penetration Test
- Pros and cons of outsourcing your Cyber Security - In-house, MSSP, or Virtual SOC?
About CyberOne
CyberOne is a government-approved Cyber Security and IT Managed Service Provider, supporting clients 24x7 from our ISO27001-accredited UK Security Operations Centre (SOC).
Located at the heart of a high-security, controlled-access Tier 3 data centre, CyberOne's state-of-the-art UK Cyber Defence Centre (SOC) targets, hunts, and disrupts hacker behaviour as part of a multi-layered security defence to help secure some of the UK’s leading organisations.