by peter


Guide to CREST penetration testing

Welcome to our guide to CREST penetration testing. CREST is the Council of Registered Ethical Security Testers and accreditation is well established as a ‘stamp of approval’ for a high-quality penetration test, but what differentiates a CREST penetration test from other assessments?

Who is CREST?

The Council for Registered Ethical Security Testers (CREST) is an international not-for-profit accreditation and certification body which represents and supports the technical information security market. CREST provides internationally recognised accreditation for organisations and professional level certification for individuals who provide penetration testing and other services such as vulnerability scanning, cyber incident response, threat intelligence and Security Operations Centre (SOC) services. To achieve CREST accreditation, companies must undergo a rigorous assessment of business processes, data security and security testing methodologies.

What is a CREST-certified company?

Every CREST member company is required to submit policies, processes and procedures relating to their service provision to CREST for assessment. Gaining and maintaining CREST certification is an ongoing process rather than a one-time step – member organisations are required to submit an application annually, with a full reassessment required every three years.

Each CREST member company signs up to a binding and enforceable company code of conduct, which includes processes for resolving complaints.

Why choose a CREST-accredited provider for pen testing?

“There are many benefits in procuring penetration testing services from a trusted, certified external company who employ professional, ethical and highly technically competent individuals. CREST member companies are certified penetration testing organisations who fully meet these requirements, having been awarded the gold standard in penetration testing, building trusted relationships with their clients.” – CREST

CREST-certified pen testing services provide assurance that the entire pen testing process will be conducted to the highest legal, ethical and technical standards. The CREST pen testing process follows best practice in key areas such as preparation & scoping, assignment execution, post technical delivery and data protection.

Talk To A Security Specialist

Book a free consultation with a security specialist to discuss your current concerns or security requirements.

Hedgehog Security needs the contact information you provide to us to contact you. You may unsubscribe from these communications at any time.  By clicking "Request Callback" below you agree for us to store and process your data.  For information on how to unsubscribe please review our Privacy Policy.

Cyber Security Consulting

Penetration Testing

SOC as a Service

Cyber Essentials

Vulnerability Scanning

What are the benefits of CREST penetration testing?

CREST-accredited pen testing offers a number of advantages, including:

1. Highly trained security professionals

CREST penetration testing is typically carried out by, or under the supervision of, CREST-registered penetration testers. CREST-registered or certified penetration testers are required to pass a series of rigorous exams to prove their skill, knowledge and competence and must re-sit them every three years. CREST pen testers also have to complete between 6,000 hours (CREST-registered) and 10,000 hours (CREST-certified) of regular and frequent professional experience.

2. Greater customer assurance

Companies are often asked to demonstrate the security and safety of their data to their customers. Using a CREST-accredited penetration testing provider enables them to prove that they are adhering to security best practices to protect their data. Commissioning a CREST member company may also provide a commercial advantage when bidding for contracts.

3. Supports regulatory compliance

A CREST pen test supports information security requirements such as the GDPR, ISO 27001, the Network and Information Systems Directive & Regulations (NIS Regulations) and the Payment Card Industry Data Security Standard (PCI DSS). A pen test may be specified directly by a particular regulation or indirectly by the need to assess and evaluate the effectiveness of technical and organisational controls. Learn more about the requirements for penetration testing in our compliance guide.

4. Globally recognised accreditation

CREST accreditation is valid and recognised around the world. This provides valuable assurance for companies with a global presence or for those working with overseas customers. Using a pen testing provider which lacks accreditation or whose certification is limited to the UK may limit outcomes and credibility.

5. Up-to-date expertise

The threat landscape is constantly changing. To ensure that this knowledge is kept up to date, the organisational and individual CREST certification process is repeated periodically. Member organisations are regularly updated by CREST about the latest developments in technical information assurance and participate in member workshops and events.

We hope you found this guide to CREST penetration testing useful.