How to join CREST

How to join CREST

In accordance with CREST’s stated aim “to increase professionalism in the security testing industry”, CREST places requirements on member companies in order to ensure that consistent standards of services are delivered.

The requirements fall into 4 main areas:

  • Company operating procedures and standards
  • Personnel security and development
  • Approach to testing and response
  • Data security

Prior to applying to join CREST, prospective member companies are encouraged to review the requirements documents and ascertain their compliance status.

Prospective CREST Member Companies can apply for membership in any or all of the following disciplines:

Application Process
After receipt of an expression of interest, CREST will ask you to sign a mutual NDA. Once an NDA has been signed, CREST will provide you with login details to our Membership Portal.

The company membership application form is a comprehensive form requiring a prospective member company to provide evidence that they are compliant with the various CREST requirements.

During the application process, we will require copies of the certain documents. These include:

  • General company details;
  • Copy of a professional indemnity insurance certificate or company letter confirming level professional indemnity insurance;
  • Contract management, including a copy of a sample contract with terms and conditions;
  • Policies and procedures relating to the use of contractors, including a copy of a sample contract with terms and conditions;
  • Copies of standards compliance certificates (e.g. ISO27001, ISO9001).
  • Quality processes and procedures;
  • Information Security processes and procedures;
  • Complaint Handling and Conflict of Interest policies.

Please consult our Frequently Asked Questions regarding completion of the application form. Please note that all supporting documentation must be uploaded to the CREST membership portal for audit.

Each discipline has its own separate application form where CREST will review specific methodologies for delivering the service you are applying for.  Information on each discipline’s specific requirements can be found here:
Discipline requirements

Prospective Member Evaluation
Once your application has been submitted, one of the accreditation team will conduct a thorough review of your application based on the information provided in your application forms and supporting documentation.  An application fee becomes payable once you have submitted your documents.  Feedback will be provided within six weeks of submission.  CREST reserves the right to carry out an onsite audit of your company against the CREST standards.

Once feedback has been provided, applicants have 90 days to re-submit your application to CREST.  There is no additional charge to do this. If the application is submitted outside of these 90 days a new application may be required.  Feedback will be provided to your point of contact during the review processes that any issues may be resolved.

In the event of a membership application not meeting the guidelines, further supporting evidence will be requested for review, prior to a decision being made.

Start Date and Duration of Membership
Your point of contact will be notified when your application has been approved.  Your membership will start from the first of the next calendar month after notification and will be valid for one year.  This is subject to receipt of any outstanding documentation and payment of your annual membership fee.

At the start of your membership, a certificate will be sent to the point of contact provided in your application form and your company details will be posted on this website based on the details provided within your application documentation.

Use of Contractors for CREST tests
CREST does not prohibit the use of contractors on CREST tests.  However, it is essential that all members engaged in a CREST test follow CREST standards for conduct and methodology and attestation to this is included in the membership application form.

To this end we require that contractors agree to follow the CREST approved procedures and methodologies of the company to which they are contracted.  This must be agreed in writing and form part of the contract, along with any further conditions as required by the end client.

Full details are available from [email protected].

Annual Membership Fees
Annual membership fees will be applied as follows:
i) £5,000 pa for membership of one country Chapter
ii) £7,000 pa for membership of one region and any of its associated country Chapters
iii) £25,000 pa for global membership (all regions and associated country Chapters)
Recognition for member companies will be as follows (respectively):
i) Identified as a member of that country (only)
ii) Identified as a member of that region and of individual countries within that region
iii) Identified as a global operator.
As an illustration:

  • ABC Company Ltd – UK based only, delivering services only in UK. Subscription £5,000
  • DEF Company Ltd – UK based with ability to deliver across EMEA. Region = EMEA. Subscription £7,000
  • FGH Company Ltd: UK based with ability to deliver across EMEA, plus Singapore secondary with ability to deliver in Singapore but not wider Asia market. Subscription £12,000 (= EMEA @ £7,000 plus Singapore only @ £5,000)
  • RST Company Ltd – UK based with ability to deliver across EMEA plus, Singapore secondary with ability to deliver across Asia. Regions = UK & Asia. Subscription £14,000
  • XYZ Company Ltd – operations in UK, Germany, Spain, USA, Singapore & Australia. Region = global. Subscription £25,000

Subscriptions are based on a member company’s area of operation in a country or region and associated with an address (ie. an office). Member companies are invited to choose which countries and regions they wish to be attached to.  The most a company will have to pay is £25,000 per annum to be attached to all CREST Chapters in all regions around the world.  The definition of CREST’s membership regions is available here:
Membership Region Definitions

Existing Members have the opportunity to add Chapter membership to their subscription at any time during their membership and the additional membership fee will be pro-rated to co-term with the company’s annual membership renewal date.

There is a £750 application fee for company membership.  This includes all support and liaison with CREST regarding the application.  The fee will cover your application to all disciplines chosen.  There is no discount for applying for only one membership discipline.

For existing CREST member companies, an administration fee of £500 will be payable for the addition of disciplines after the original application.  If multiple disciplines are submitted within two weeks of the initial application, no additional fee will be payable.

CREST reserves the right to conduct a full assessment every three years requiring a full re-submission of all documents.  If called for, there will be an assessment fee of £750 for this.

Please note that VAT will be applied, where applicable, to all fees.

Additional Fees for certain disciplines
•  SOC Accreditation:  £1500, plus travel expenses.  These can be provided in advance, so please ask when applying.
•  VA Accreditation:  £500 and covers the technical assessment once the application stage has been approved. This must be completed to complete membership.

Applying for CREST company membership
If you wish to become a CREST member company please register your interest by emailing [email protected].

Annual Renewal
CREST membership must be renewed on an annual basis.  Your point of contact will be sent a renewal reminder by email at least two months’ in advance of the renewal date.

You will be asked to complete your renewal on the CREST Membership Portal.  You will have to complete the CREST renewal form and supply the supporting documentation requested, as well as re-signing the CREST Code of Conduct.

The renewal looks at some key areas of membership including:

• General company details
• Company insurance
• Quality policies and procedures
• Information Security policies and procedures
• Complaint handling
• Client contract management
• Details of Certified individuals

CREST carries out a thorough review of your renewal based on the information provided.  CREST reserves the right to carry out an onsite audit of your company against the CREST standards.  Once approved, the annual membership fee will be payable.

There are no administration fees payable for annual renewal of your CREST membership.

At any time during membership with CREST, members can upgrade their membership – whether this is adding office locations or the addition of Countries or Regions. Any additional fees are pro-rated to co-term with the dates of the original membership