When commissioning a penetration test, the first question often isn't about the scope or the price, but about the credentials. Specifically: does the tester need to be CREST accredited?
For many UK businesses, the distinction between a CREST (Council of Registered Ethical Security Testers) accredited firm and a non-accredited one is the difference between a high-assurance audit and a basic security check. This guide explains the technical and regulatory differences to help you choose the right approach for your risk profile.
What Is CREST?
CREST is an international, not-for-profit accreditation body that represents the technical information security industry. It provides a rigorous framework for assessing the capabilities of security firms and the individual skills of their consultants. A CREST-certified company has undergone an extensive audit of its methodologies, data handling, and ethical standards.
- Audited technical methodologies.
- Certified individual expertise tiers.
- Strict code of ethical conduct.
- Accepted for high-level compliance.
- Variable testing quality.
- No external methodological audit.
- Often lower cost entry point.
- Best for internal hygiene checks.
The Three Core Differences
1. Methodological Assurance
A CREST-accredited firm cannot simply "wing it." They must prove their testing processes are consistent, repeatable, and thorough. This includes how they scan for vulnerabilities, how they exploit them, and how they report the findings. Non-CREST firms may have excellent individuals, but they lack the external validation of their corporate processes.
2. Data Handling and Ethics
Penetration testing involves granting someone access to your most sensitive systems. CREST accreditation requires a firm to demonstrate robust data handling policies, secure storage of report data, and a clear ethical framework for when things go wrong. For regulated industries, this chain of trust is often a legal necessity.
3. Individual vs Company Certification
It is important to note that individuals can hold CREST certifications (like CPSA or CRT) even if they work for a non-accredited firm. However, a CREST-accredited company provides "company-level" assurance that the entire project management, legal, and reporting infrastructure meets the global standard.
When to Choose CREST
Choose a CREST-accredited partner if any of the following apply:
The Value of Quality Testing
While non-CREST testers can be highly skilled and are often suitable for early-stage startups or internal "sanity checks," the lack of external auditing creates a degree of risk. In a landscape where SME cyber security is increasingly under the microscope, the professional indemnity and technical rigour associated with CREST are powerful risk-reduction tools.
Frequently Asked Questions
Secure Your Infrastructure
Not sure what level of testing your business requires? SME Cyber Solutions provides practical ethical hacking and security assessments tailored to your risk profile.