CREST Services: Penetration Testing - Introduction
CREST does not mandate a methodology for penetration testing. At this level, there are currently no standards that can be applied and CREST wants to ensure that members have some freedom over how they conduct this type of work. That said, there are certain attributes in the methodology adopted by companies that CREST looks for to ensure that they have processes in place to correctly scope an assignment, undertake the penetration test in an ethical manner under appropriate legal and regulatory frameworks, that their penetration testers are controlled and work to the scope and that client information is appropriately protected. The assumption made is that the CREST member companies will use appropriately qualified staff which helps to ensure the quality of the work being undertaken; this is reinforced by the need for sign off by a qualified individual.
Further background information on penetration testing and the other CREST membership disciplines can be found in the application forms.