Cyber SafetyPress ReleaseThreat Detection & Defense

CREST Defensible Penetration Test Announced

CREST, the international not-for-profit, membership body representing the global cyber security industry, has announced the release of its CREST Defensible Penetration Test, a specification that provides recommendations on how penetration tests should be scoped, delivered and signed off. With significant growth in the numbers of penetration tests being carried out around the world, the need to define best practice has become increasingly important. CREST has worked alongside industry recognized and peer-selected experts to define a minimum set of expectations associated with a penetration test.

The guidance focuses on defining a CREST Defensible Penetration Test and is designed to help service providers and their clients to work more effectively together to conduct penetration tests.

“A CREST Defensible Penetration Test provides flexibility built around a minimum set of expectations that will drive better outcomes for buyers across the globe,” explained Rowland Johnson, CREST President. “It provides the industry with a much needed commercially defensible assurance activity that is appropriately scoped, executed and signed off.”

Across the globe it is widely acknowledged that the definitions, practices and expectations associated with a penetration test are inconsistent and fluid. This makes it difficult to define or parameterize a series of activities that looks at all possible requirements, engagements or scenarios. For example, a penetration test may need to assess a mobile phone at one end of the spectrum or an aircraft carrier at the other.

This new CREST guidance provides a best practice framework for penetration test defensibility and an assurance of penetration tester competence. It will help organizations that are looking to procure penetration testing services and organizations that deliver penetration testing services.

Only when the following three elements are satisfied, will the CREST Defensible Penetration Test be commercially defensible:

  • The need for penetration testing service providers to have appropriate policies, procedures, practices and methodologies
  • The need for all individuals involved in a penetration test to have appropriate levels of skills, experience and competency
  • The need for penetration testing service providers and the individuals conducting the assessment to work towards a defined and agreed test specification

More information on the CREST Defensible Penetration Test is available at: Implementation & Procurement Guides – CREST (crest-approved.org)

CSA Editorial

Launched in Jan 2018, in partnership with Cyber Security Malaysia (an agency under MOSTI). CSA is a news and content platform focusing on key issues in cybersecurity in the region. CSA is targeted to serve the needs of cybersecurity professionals, IT professionals, Risk professionals and C-Levels who have an obligation to understand the impact of cyber threats.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *