Last Updated on April 23, 2012
It’s not uncommon for potential client to ask “Is your company certified to provide Penetration Testing?” It’s a great question and one that unfortunately does not have a good answer – YET. **
Via a client, we recently became aware of a British organization called CREST (Council of Registered Ethical Security Testers) that has developed a certification scheme for companies and individual penetration testers that is gaining a lot of traction in Britain. If you’re not familiar with CREST – it’s worth a look. The Brits have long been leaders in information security (they are the “inventors” of ISO 27001) so the idea that CREST may gain broader acceptance is definitely feasible.
I recently had an opportunity to speak with David McGuire who runs the Penetration testing practice of one of our competitors, the Veris Group. David is a very impressive guy, who is currently taking the lead on a potential effort to establish a CREST chapter in the United States. We had a great discussion and Pivot Point is eager to support his efforts and is optimistic that he has the energy and expertise to make it happen.
Hopefully at some point in the not too distant future my answer will be: “As a matter of fact – we were very recently CREST Certified… ” **
**UPDATE: Pivot Point Security is now officially CREST Certified.
You can read more in our post about scoping Penetration Tests for SOC1, SOC2, and PCI.