CREST SOC Accreditation gets remote audit
15 April 2021: CREST has announced a new remote audit facility for its SOC (Security Operations Centre) Accreditation to reduce the need for travel and help ensure more timely and effective audits. It provides an alternative to on-site audits and will help meet the increased international demand for SOC Accreditation, without compromising the high CREST standards.
CREST’s SOC Accreditation is available for both service providers and internal SOCs and was developed with extensive input from CREST members and the wider industry to provide an internationally recognised and independent validation of the SOC. Accreditation demonstrates a high level of assurance and trust and since its launch at the end of 2017, CREST has seen demand for SOC Accreditation grow significantly.
CREST has a detailed and comprehensive SOC Assessment Criteria that looks at six key areas of a SOC: Organisational Environment; Customer Requirements; Technology and Tools; Event Analysis; Threat Intelligence & Situational Awareness; Protecting the SOC. The first stage to accreditation involves completing the application via the CREST Membership Portal, which will ask questions about processes, policies and methodologies. The second stage is the detailed audit conducted by a qualified auditor within six months of the application.
“Even before the pandemic and additional travel constraints this has brought, high levels of international demand for SOC Accreditation meant we needed to look for a more accessible, flexible and efficient approach to speed up the audit process,” explains Samantha Alexander, Principal Accreditor at CREST. “But we needed to ensure that any solution didn’t impact on the very high standards of the audit itself. This remote capability allows the CREST audit team to review documentation, conduct interviews and site tours with the same rigour and attention to detail as an onsite visit.”
CREST will discuss the process with the organisation’s SOC team in advance to ensure that all SOC criteria are covered and technology requirements are reviewed to deliver an effective audit. The audit will start with a review of documentation and records, observations of processes and methodologies, interviews with the SOC staff and a remote video tour of the SOC environment. All data and evidence will be noted and included in the final audit report, held under a CREST NDA.