In the cybersecurity world, where trust and competence are paramount, the CREST certification scheme for organisations serves as a vital benchmark. Recognised globally, CREST (Council of Registered Ethical Security Testers) accredits organisations that deliver high-quality, technically competent, and ethical information security services.
This blog explores the CREST scheme for organisations, the certifications available, and what it means for a company to be CREST-accredited.
What is CREST?
CREST is an international not-for-profit accreditation and certification body that represents and supports the technical information security industry. While it provides professional certifications for individuals (such as CPSA, CRT, and CCT), it also offers accreditation for organisations that deliver services in areas such as penetration testing, threat intelligence, incident response, and security operations.
Organisational CREST accreditation demonstrates a commitment to quality, integrity, and continuous improvement — and is often required for working with government agencies, regulated sectors, and high-assurance clients.
Organisational CREST Certification Schemes
CREST offers certification in several key service areas. Organisations can apply for one or more of the following accreditations:
1. Penetration Testing Accreditation
Overview:
This accreditation confirms that an organisation meets the highest standards for conducting penetration testing services. It ensures the business uses technically competent staff, has a robust methodology, maintains data security, and adheres to legal and ethical practices.
Assessment Criteria:
- Technical capability and qualifications of staff
- Quality assurance and methodology
- Legal compliance and insurance
- Reporting standards and client communication
- Incident handling processes
Who Needs It?
Consultancies delivering infrastructure, application, or wireless penetration tests to commercial or government clients.
2. Simulated Target Attack and Response (STAR) Scheme
Overview:
STAR accreditation is designed for organisations conducting advanced Red Team engagements that simulate sophisticated threat actors. It aligns with frameworks such as CBEST (UK), GBEST, and TIBER-EU.
Assessment Criteria:
- Ability to mimic real-world adversaries
- Threat intelligence-led attack planning
- Operational security and client safety
- Post-engagement analysis and reporting
- Secure tooling and infrastructure management
Who Needs It?
Red Team service providers conducting simulated attacks for financial services, critical infrastructure, or regulated industries.
3. Cyber Threat Intelligence (CTI) Accreditation
Overview:
This certification validates an organisation’s ability to deliver high-quality, actionable cyber threat intelligence.
Assessment Criteria:
- Sources and methodologies used to collect intelligence
- Analytical frameworks and contextual relevance
- Reporting accuracy and customer alignment
- Staff experience and expertise in intelligence gathering
- Ethical and legal boundaries of operations
Who Needs It?
Vendors providing CTI feeds, analysis, or bespoke threat reporting to clients.
4. Security Operations Centre (SOC) Accreditation
Overview:
CREST accredits organisations that operate Security Operations Centres (SOCs) capable of delivering effective monitoring, detection, and incident response services.
Assessment Criteria:
- SOC staffing, training, and structure
- Incident detection and escalation processes
- Tooling and security automation
- Response coordination and threat containment
- Continuous improvement and maturity levels
Who Needs It?
Managed security service providers (MSSPs), MDR vendors, and in-house SOC teams looking to demonstrate capability.
5. Incident Response Accreditation
Overview:
This confirms an organisation’s ability to effectively manage and respond to cyber incidents.
Assessment Criteria:
- Forensic capabilities and chain-of-custody processes
- Containment and recovery procedures
- Staff competence and experience in real-world incidents
- Clear reporting, evidence preservation, and stakeholder engagement
- Legal, ethical, and regulatory compliance
Who Needs It?
Consultancies providing digital forensics, breach investigation, and cyber incident response services.
Benefits of CREST Accreditation for Organisations
- Industry Credibility: Positions your business as a trusted and verified service provider.
- Client Assurance: Reassures customers of your technical competence and integrity.
- Access to Regulated Markets: Enables participation in government, defence, and financial services frameworks (e.g., CBEST, TIBER-EU).
- Quality and Compliance: Embeds best practices into technical delivery and operational management.
- Global Recognition: CREST accreditation is respected worldwide across multiple sectors.
The Accreditation Process
- Application Submission
Submit detailed documentation about your organisation’s policies, procedures, technical delivery, and staff qualifications. - Audit and Assessment
CREST conducts interviews, reviews processes, and may audit client deliverables to validate the quality and consistency of services. - Certification Awarded
Upon successful completion, your organisation is added to the CREST register and permitted to use the CREST mark. - Ongoing Monitoring
Organisations must undergo regular audits and demonstrate continued compliance with CREST standards.
Final Thoughts
Becoming a CREST-accredited organisation is more than a badge — it’s a commitment to excellence in cybersecurity. Whether delivering penetration testing, threat intelligence, or incident response, CREST certification sets the bar for professional service delivery, client assurance, and regulatory trust.
For any cybersecurity provider aiming to stand out in a competitive and critical field, CREST accreditation is a mark worth pursuing.
Useful Links: