If you aren’t a cyber security expert or a penetration tester, how do you know you’re getting value for money in the service you are investing in.
CREST, the certification body for Penetration testing have announced the release of its CREST defensible Penetration Test to help with exactly that. The aim is to reassure buyers and set a standard for delivery on what makes a Pen Test good.
What is a CREST Defensible Penetration Test?
The CREST Defensible Penetration Test is a specification that provides recommendations on how penetration tests should be scoped, delivered and signed off.
Industry recognised and peer selected experts worked to define a minimum set of expectations associated with a penetration test. This is not an exhaustive list of dos and don’ts, it is designed to help pen testers and their clients to work together.
Goals and Objectives
- Goals and Objectives should be set by the buyer
- Goals and Objectives should be listed by service providers in all scoping documents and reports produced
- Goals and Objectives should be clearly defined within the engagement as these directly influence scoping activities
Scope of Work
- The scope of work should be appropriate to meet the assurance requirements that have been defined by the contracting organisation or by their project
- The scope should be made with the goals and objectives in mind
- Assessment must be executed in accordance with the agreed scope
- Any deviations from the scope or expected conditions is the responsibility of the CREST Accredited Penetration Testing Provider to communicate
- The Test must be conducted in accordance with the penetration testing methodology that was approved as part of the CREST Member Company’s accreditation process
- If any constraints are identified that prevent the full scope from being addressed, these should be formally documented
- The delivery phase should cover all elements highlighted within the scoping phase
- If there were constraints identified within the delivery phase, these must be formally documented in the sign-off process
- Were all the set goals and objectives met? If not, why not?
What does this mean for you?
The aim of a CREST Defensible Penetration Test is to provide maximum levels of flexibility, while also defining a minimum set of expectations for penetration testing providers to drive better outcomes for buyers.
The outcome is to achieve a commercially defensible assurance activity that is appropriately scoped, executed and signed off.
Not only does the test help both buyers and sellers to achieve a certain level of value within the service, but buyers will also be giving the market an indicator that they are taking reasonable steps in maturing their cyber security by opting for a pen test that meets the CREST Defensible Penetration Test standards.
What makes the CREST Defensible Penetration Test commercially defensible?
When the following three elements are satisfied, the CREST Defensible Penetration Test be commercially defensible:
- Penetration Testing service providers must have appropriate policies, procedures, practices and methodologies. (CREST defines this as an Accredited Organisation.)
- All individuals involved in a penetration test must have appropriate levels of skills, experience and competency.
- Penetration Testing service providers and the individuals conducting the assessment to work towards a defined and agreed test specification.
How can CyberCrowd help?
We have a team of highly accredited testers that are customer facing, subject matter experts, always on hand to answer any queries you may have, as well as advice on the best steps to resolve any vulnerabilities they may find.
At CyberCrowd we believe that as a minimum every organisation should understand what their security posture looks like.
If you would like to hear more about Penetration Testing and how our service could aid your business, or answer the question ‘What makes a Pen Test valuable?’ Our experts are on hand to help.