Home / Blog / General / CREST Accreditation: Why it’s important for Penetration Testing

January 21, 2020

Penetration testing is the cyber equivalent of letting someone break into your house and rummage through your drawers to see how easy it all would be to steal. Your valuables are in that house. Your underwear is in those drawers.

It goes without saying that you don’t want just anyone barging through the door and diving in.

The same rules apply to penetration testing. You’re giving permission for someone to try to find your deepest, darkest secrets. Data, money, intellectual property – if your security isn’t good enough, it’s all up for grabs.

And it’s not just the fear that it could be misappropriated – what if it is damaged? What if it is accidentally erased? What if everything you ever worked for is lost at the hands of cowboy testers?

These fears are exactly why certification schemes exist for penetration testers: to reassure customers that the service they will received meets certain standards.

CREST Accreditation: Why it's important for Penetration Testing

The evolution of penetration testing

Penetration testing has its origins in the kind of war games that aeons of armies have ‘played’ to work out where their weaknesses lie. In more recent history, first the tech industry and then the US military began using a kind of penetration test to assess the security of their systems, giving rise to the Computer Fraud and Abuse Act of 1986. Ethical hacking has been growing in prominence ever since, with the first set of best practices being established in 2003.

Since 2006, CREST has provided internationally recognised accreditation’s for organisations and individuals providing penetration testing and other cyber security services.

CREST certification applies to both companies and individual testers, giving service users the reassurance that their chosen test provider has demonstrated their ability to perform to CREST’s high standards. But we’re getting ahead of ourselves… Let’s go back a few steps.

What is CREST?

The Council for Registered Ethical Security Testers (CREST) is an independent, not-for-profit organisation recognised worldwide as the cyber assurance body for the technical security industry.

CREST defines best practice methodologies for penetration testing, threat intelligence services and cyber security industry response.

It was also instrumental in the development of the technical assessment and certification framework for the UK government’s Cyber Essentials Scheme.

Every company and individual that has been awarded accreditation/certification must sign up to a strict and enforceable Code of Conduct that defines requirements around ethics, integrity, disclosure and confidentiality. Put simply, it’s a shortcut to knowing which companies you should trust with your underwear drawer.


Why choose a CREST-accredited provider?

A stamp of approval from CREST is a guarantee that your chosen pen-test provider has the necessary skills and methodologies to give you an accurate and thorough assessment of your cyber security strategy.

You can be confident that they’re not only a legitimate organisation, but also that they have had to pass stringent controls in order to achieve CREST accreditation, which means they are highly skilled. On top of that, they have access to industry-leading resources and events, so their knowledge is continually updated.

Is Comtact CREST accredited?

You bet your bottom dollar we are. It’s not only a question of reassuring our customers that we know our stuff; there’s a lot of value in being part of a community of people who are always learning, always developing.

It means we can give our customers the very best level of service – such as the most rigorous testing methodologies at the forefront of the latest and best practice hacking techniques.

Because penetration testing is not a one-size-fits-all exercise, we direct all this learning into a tailored programme to precisely fit your business needs. By adapting the CREST-approved methodologies to your infrastructure, industry and risks, we can find out just how susceptible your organisation really is. With this approach and our highly skilled CREST-certified penetration testers, we can deliver a real-world test that puts you on the path to greater cyber security.

Taking the next step

Penetration testing is a great way to identify the risks and vulnerabilities within your organisation and objectively assess the current state of your cyber security controls.

Simulating the behaviour of a real cyber criminal, a penetration test will uncover the critical security issues of your systems, how these vulnerabilities were exploited – as well as steps required to fix them (before they are exploited for real).

Further reading

About Comtact Ltd.

Comtact Ltd. is a government-approved Cyber Security and IT Managed Service Provider, supporting clients 24/7 from our ISO27001-accredited UK Security Operations Centre (SOC).

Located at the heart of a high security, controlled-access Tier 3 data centre, Comtact’s state-of-the-art UK Cyber Defence Centre (SOC) targets, hunts & disrupts hacker behaviour, as part of a multi-layered security defence, to help secure some of the UK’s leading organisations.