CREST is committed to supporting all sectors of the technical information security industry by providing guidance material and commissioning research projects.  The CREST material currently available is listed below.  If you have an idea for a subject that CREST could consider conducting research into, please let us know by emailing [email protected]

CREST have completed research projects into both Penetration Testing and Cyber Security Incident Response and guides to assist organisations procuring these services have been published.

Penetration Testing – A guide for running an effective Programme
CREST’s Penetration Testing Guide provides practical advice on the establishment and management of a penetration testing programme, with advice on how to conduct effective, value-for-money penetration testing as part of a technical security assurance framework.  It is designed to enable organisations to prepare for penetration tests, conduct actual tests in a consistent, competent manner and follow up tests effectively.

The Guide presents a useful overview of the key concepts that need to be understood to conduct well-managed penetration tests, explaining what a penetration test is and is not, outlining its’ strengths and limitations, and describing why an organisation would typically choose to employ an external provider of penetration testing services to help with planning for and undertaking tests effectively, ensuing that vulnerabilities are identified and remediated.

To support these procurement guides and to ensure the effectiveness of any penetration testing programme, CREST has developed a suite of maturity assessment tools to ascertain the status of a pentesting programme against an industry standard scale.  Further details including a guide to the tools and the tools themselves can be found here.

Cyber Security Incident Response Guides
The CREST Cyber Security Incident Response (CSIR) Procurement Guide provides details on how to handle cyber security incidents in an appropriate manner and offers practical advice on how to prepare for, respond to and follow up an incident in a fast and effective manner.  The purpose of the Guide is to help improve the buying process for current and potential buyers of CSIR services and to help the buying community meet the range of different requirements for responding to a cyber security incident, based on their type of organisation.  This Guide will help you achieve the best response for your circumstances.

The CREST Cyber Security Incident Response (CSIR) Supplier Selection Guide helps the buying community understand the benefits of using external suppliers, determine which activities should be outsourced, define criteria upon which to base selection of a suitable supplier and provides guidance on appointing suitable third party experts.  It provides practical advice on the procurement of CSIR services and investigates the primary considerations for a buyer when weighing up the benefits of outsourcing their CSIR capabilities.

In support of the work on cyber security incident response, a maturity assessment tool has been developed to enable assessment of the status of an organisation’s cyber security incident response capability.  The tool helps to measure the maturity of a cyber security incident response capability on a scale of 1 (least effective) to 5 (most effective).  The tool is powerful, yet easy to use and consists of two different spreadsheets, enabling assessments to be made at either a summary or detailed level.  Further details are available here.

Cyber Security Monitoring and Logging
The CREST Cyber Security  Monitoring and Logging Guide explains what organisations need to do when monitoring and logging cyber security events.  The Guide focuses on proactive measures that will make organisations more difficult to attack and help them to reduce the frequency and impact of cyber security incidents, including sophisticated cyber security attacks.  Further details are available here.

Industrial Control Systems:  Technical Security Assurance Requirements
The CREST Industrial Control Systems Position Paper presents the findings from a CREST project on the Technical Security Assurance of Industrial Control Systems (ICS).  This document is based on detailed research and includes insights, commentary and analysis garnered from subject matter experts through:


Bug Bounties
The CREST Bug Bounties report explores good and bad practice to establish how better to understand bug bounty programs and how they fit into the wider technical assurance framework.  Read more here.

If you have any questions about our research, procurement guides or reports, or if you require further information, please email [email protected]