Criteria to become a CBEST Provider

CBEST is a joint initiative between CREST and the Bank of England.  CBEST supports controlled, bespoke and intelligence-led security testing for and improves resilience against cyber-attacks.  The CBEST test mimics behaviours of threat actors assessed by Government and commercial threat intelligence providers as posing a genuine threat to financial institutions.  CBEST focuses on sophisticated and persistent attacks on critical systems and essential services, with priority given to the systems identified by the Bank as systematically important.

CBEST comprises of the following standards and documents (as may be updated from time to time):
i)  Successful accreditation to CREST STAR Penetration Testing and/or CREST STAR Threat Intelligence Provider status;
ii)  Use of CREST STAR Penetration Testing and STAR Threat Intelligence qualified personnel on all CBEST assignments;
iii)  CBEST terms of reference, including:
a.  identification of the system(s) to be tested;
b.  the threats and threat agents to be countered;
c.  all possible system component technologies, products and configuration; and
d.  the scope of testing,

all together, the “CBEST Standards”.

CBEST accreditation requires:
i)  Full and continuing CREST membership;
ii)  Completion and acceptance of the CBEST Application and all relevant background documentation;
iii)  Satisfactory attainment to the CBEST Standards;
iv)  Provision of named individuals involved in all elements of every CBEST test;  and
v)  STAR Penetration Testing Companies:  Documented completion of 14,000 hours of cyber penetration testing experience with 4,000 hours experience in financial institutions for each potential CBEST team member.
vi)  STAR Threat Intelligence Companies:  Documented completion of 7,000 hours (est. 5 years) experience of providing of threat intelligence services to financial institutions for each potential CBEST team member.

CBEST Application criteria – Penetration Testing:
Companies applying for CBEST accreditation must:

i)  Fully complete the CREST STAR Penetration Testing and CBEST Penetration Testing Forms, with all fields filled out;
ii)  Provide confirmation from CREST of full CREST accreditation status (which includes full payment of all necessary fees);
iii)  Provide details of CCSAM or CCSAS qualification(s), including expiry date.  Please note that the Bank will not action any CBEST applications unless the applicant company employs an individual (a person who is hired for a wage, salary, fee or payment to perform work for an employer) with these qualifications who is based in the UK;
iv)  Provide full references in accordance with the requirements of this application form;
v)  Have a registered presence in the United Kingdom.

CBEST Application criteria – Threat Intelligence:
Companies applying for CBEST accreditation must:

i)  Fully complete the CREST Threat Intelligence and CBEST Threat Intelligence Forms, with all fields filled out;
ii)  Provide confirmation from CREST of full CREST accreditation status (which includes full payment of all necessary fees);
iii)  Provide details of CCTIM qualification(s) including expiry date.  Please note that the Bank will not action any CBEST applications unless the applicant company employs an individual (a person who is hired for a wage, salary, fee or payment to perform work for an employer) with this qualification who is based in the UK;
iv)  Provide full references in accordance with the requirements of this application form;
v)  Have a registered presence in the United Kingdom.

CREST and CBEST accreditation, information and documentation will be shared with the Bank of England for the purposes of administering and managing CBEST.   Please email [email protected] for further information.