If we're not accredited to ISO27001, what sort of detail will be acceptable to CREST?

The ISO 27001 standard is the specification for an Information Security Management System (ISMS). The objective of the standard is to provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an ISMS. The standard employs the Plan-Do-Check-Act (PDCA) model to structure these processes and this is a useful way of considering the quality standards that should be utilised within a business. From a CREST perspective, this should include all aspects of an assignment that could be run under CREST standards.

A security management system would normally include statements on management responsibility for the ISMS including:

• Management Responsibility
• Management Commitment
• Management Representative
• Quality Policy and Objectives
• Customer Focus and Customer Satisfaction
• Corrective Actions
• Preventative Actions

CREST would not necessarily look for evidence in all of these areas but management commitment to their process is essential for effective implementation.

Your ISMS manual or reference material should also cover the following areas to demonstrate best practice:

• Resource management
• Personnel training and development
• Internal audits of CREST related assignments
• Continual improvement programmes

It is also good practice to have these processes available from a single source as it is important that a team involved in a CREST assignment can see the end to end process and understand their responsibilities. Consideration should also be given to creating sections to break down and cover these areas