Home / Blog / General / What penetration testing certifications should you insist on?

December 17, 2018

Penetration testing was born from murky beginnings, with hackers taking the wise move to avoid prosecution and instead, turning their skills into a business opportunity. From this came the requirement of regulation – with a standardisation and rigorous certification requirements now the norm.

A wide range of specialist certifications have evolved in the last few years, offering customers much needed reassurance, service guarantees and adherence to industry-standard best practice.

But how do you know which one(s) to choose from?

Penetration Testing Certification

In this article, we’re going to take a look at a few specific qualifications to guide you through which certifications are applicable to you and your industry. Firstly, there is CREST.

> CREST certification for pen testing

CREST (www.crest-approved.org) is the most recognised of the certifications available and is widely applicable to information security professionals, regardless of specialism. CREST is actually an acronym for The Council of Registered Ethical Security Testers, and the standard qualification comes in three flavours: Practitioner, Registered and Certified.

While each level is naturally demanding, they are designed to span from entry-level qualifications – for those looking to join the industry, right up to exams which set the bar for experienced, senior security professionals.

CREST certifications help to ensure standards of methodology and ultimately performance across a variety of penetration testing providers, be they individual contractors or established cyber security companies. Their ubiquity in the marketplace has meant that CREST certification has become the de facto gold standard, increasingly becoming a mandatory requirement in bidding for public sector contracts, as well as key private sector industries.

For any ‘typical’ pen testing requirement, CREST would be a necessary certification to insist on.

It’ll reassure you that your organisation’s network will be tested using the latest techniques, but simultaneously with maximum attention paid to operational safety concerns whilst undergoing testing.

> ISO 27001 – the information security standard

ISO 27001 is the key information security standard from the International Standards Organisation (ISO). Holders of ISO 27001 will have passed a strict audit that puts information security responsibility under senior management control, and is intended to reassure potential customers that their procedures for the handling of sensitive data meet their demanding standards.

It really is worth taking into account, because the security firm you engage will handle sensitive data relating to your security capabilities and vulnerabilities inherent to your organisation, so do ask questions on data handling of any potential penetration testing provider.

ISO 27001 is now so commonplace across almost every sector, that if a potential provider doesn’t have it, it might be worth asking why!

Pen Testing Ethical Hacker

> CBEST, by CREST – for important financial institutions

Moving onto more specialist qualifications, CREST run an accreditation, administered in conjunction with the Bank of England – named CBEST.

CBEST is an industry-leading scheme designed to make sure that the critical systems that make up the nation’s financial infrastructure are tested in the most arduous manner possible, yet still safely. CBEST is much wider-ranging than traditional penetration testing, and takes a holistic approach that encompasses people, technology and processes, starting with a threat intelligence-led approach. However, it’s relatively new to the marketplace, though, so don’t rule out an experienced penetration testing professional just because they’re not CBEST-approved.

> CHECK – for government departments and CNI

With yet another C-acronym, CHECK is a government scheme administered by the National Cyber Security Centre (NSCS) and is designed specifically for government departments and Critical National Infrastructure (CNI) – think nuclear power stations, the electricity grid, telephony systems and airports.

Key requirements include basic security clearances and vetting by the National Cyber Security Centre to assess technical proficiency.

> TIGER scheme

The TIGER scheme is similar to the CREST accreditation, and has similar technical requirements to the CHECK scheme – such that on successfully passing the TIGER exams, the National Cyber Security Centre will confer CHECK status on an applicant.

The TIGER scheme is set-up and administered by the University of South Wales, and of late has seen a slight dip in popularity – but is still a well-respected and common accreditation to have.

> PCI DSS penetration testing – for the Payment Card Industry (PCI)

You’ll quite often see PCI DSS compliant, and if you deal with payment card processing, this is a requirement for you.

The Payment Card Industry (PCI) Data Security Standards (DSS) are intended to regulate the security of those handling sensitive payment data, and they train security professionals to become Qualified Assessors and/or Approved Scanning Vendors.

For companies that need to audit their PCI compliance, it will be these two certifications you’ll look for.

> CREST STAR – ‘Simulated Target Attack & Response’ (Red Teaming)

Lastly, CREST STAR is a really interesting scheme, again administered by CREST, providing accreditation for companies offering Red Teaming services – a simulated attack, which provides the toughest test from a team of experienced ethical hackers – hence is a couple of levels up from what would normally happen during a regular penetration test.

STAR stands for Simulated Target Attack and Response – and lays out a comprehensive set of standards and best-practice guidelines for red-teaming exercises.


So there it is. As you can see, there are a couple of certifications which would be “required”. Then there are a number of specialist certifications designed to meet industry requirements, or highly advanced demands.

But what you should be clear about is that an on-going vulnerability management programme, which includes pen testing (across the different types of penetration test) is essential to identify critical vulnerabilities, before they are exploited, for real.

> View a FREE sample Penetration Test report

Take a look at a sample risk-based report to understand the approach, critical security intelligence and actionable steps with our CREST-certified penetration tests.


Further reading

Comtact's UK Security Operation Centre (SOC)


About Comtact Ltd.

Comtact Ltd. is a government-approved Cyber Security and IT Managed Service Provider, supporting clients 24/7 from our ISO27001-accredited UK Security Operations Centre (SOC).

Located at the heart of a high security, controlled-access Tier 3 data centre, Comtact’s state-of-the-art UK Cyber Defence Centre (SOC) targets, hunts & disrupts hacker behaviour, as part of a multi-layered security defence, to help secure some of the UK’s leading organisations.