CREST, the international not-for-profit, membership body representing the global cybersecurity industry, has announced the release of its CREST Defensible Penetration Test, a specification that provides recommendations on how penetration tests should be scoped, delivered and signed off.
With significant growth in the numbers of penetration tests being carried out around the world, the need to define best practice has become increasingly important. CREST has worked alongside industry recognised and peer-selected experts to define a minimum set of expectations associated with a penetration test.
The guidance focuses on defining a CREST Defensible Penetration Test and is designed to help service providers and their clients to work more effectively together to conduct penetration tests.
“A CREST Defensible Penetration Test provides flexibility built around a minimum set of expectations that will drive better outcomes for buyers across the globe,” said Rowland Johnson, CREST President. “It provides the industry with a much needed commercially defensible assurance activity that is appropriately scoped, executed and signed off.”
Across the globe it is widely acknowledged that the definitions, practices and expectations associated with a penetration test are inconsistent and fluid. This makes it difficult to define or parameterise a series of activities that looks at all possible requirements, engagements or scenarios. For example, a penetration test may need to assess a mobile phone at one end of the spectrum or an aircraft carrier at the other.