CREST provides commercially defensible scoping, delivery and sign-off recommendations for penetration tests

01 August 2022

CREST, the international not-for-profit, membership body representing the global cyber security industry, has announced the release of its CREST Defensible Penetration Test, a specification that provides recommendations on how penetration tests should be scoped, delivered and signed off.

With significant growth in the numbers of penetration tests being carried out around the world, the need to define best practice has become increasingly important. CREST has worked alongside industry recognised and peer-selected experts to define a minimum set of expectations associated with a penetration test.

The guidance focuses on defining a CREST Defensible Penetration Test and is designed to help service providers and their clients to work more effectively together to conduct penetration tests.

“A CREST Defensible Penetration Test provides flexibility built around a minimum set of expectations that will drive better outcomes for buyers across the globe,” explained Rowland Johnson, CREST President. ”It provides the industry with a much needed commercially defensible assurance activity that is appropriately scoped, executed and signed off.”

Across the globe it is widely acknowledged that the definitions, practices and expectations associated with a penetration test are inconsistent and fluid. This makes it difficult to define or parameterise a series of activities that looks at all possible requirements, engagements or scenarios. For example, a penetration test may need to assess a mobile phone at one end of the spectrum or an aircraft carrier at the other.

This new CREST guidance provides a best practice framework for penetration test defensibility and an assurance of penetration tester competence. It will help organisations that are looking to procure penetration testing services and organisations that deliver penetration testing services.

Only when the following three elements are satisfied, will the CREST Defensible Penetration Test be commercially defensible:

The need for penetration testing service providers to have appropriate policies, procedures, practices and methodologies
The need for all individuals involved in a penetration test to have appropriate levels of skills, experience and competency
The need for penetration testing service providers and the individuals conducting the assessment to work towards a defined and agreed test specification