Is it mandatory to obtain individual CREST certification for employees?

You do not need to employ CREST qualified individuals to be a CREST member company. You can use contractors, they will have signed their personal code of conduct and will have to adhere to your policies processes and procedures. You can also partner with other CREST companies. Again the codes of conduct that both companies sign will be used to tie the company processes together.

In terms of CeH, to pass the exam requires in the region of 120 hours experience and research.  CISSP is very general and although requires five years’ experience it can be in any type of information assurance work.  The CREST qualifications are much more specific and have higher requirements in terms of skill levels in the specialist areas.  This is not to say that your staff who have these qualifications cannot pass the CREST exams.  If they have about 18 months experience we would suggest that they look at the Practitioner level examinations;  at 6,000 hours they should consider the Registered level;  and at 10,000 hours the Certified level.  These are only indicative experience hours.