Penetration Testing Certifications (UK)

In the UK there are three main certifications: CREST, Tiger Scheme and CHECK. Tiger Scheme is relatively new, so is not as well-known as CHECK/CREST. CHECK and CREST also certify the company as well as the individuals that carry out the penetration testing, whereas Tiger Scheme certify the skills of the penetration testers.

CREST: CREST (Council of Registered Ethical Security Testers) is a UK non-profit association created to provide guaranteed standards to the penetration testing industry.

CREST provides a provable validation of security testing methodologies and practices, aiding with client engagement and procurement processes, and proving that your company is committed to providing testing services to the CREST standard. (from http://www.crest-approved.org/welcome.html)

Three certifications are currently offered: the CREST Registered Tester and two CREST Certified Tester qualifications, one for infrastructure and one for web application testing.

CREST Membership requires a company to work to a strict set of policies/procedures and to employ at least one CREST Certified Tester (equivalent to Tiger Scheme SST or CHECK Team Leader as per the table below) and pay a yearly fee of £7,000 +VAT.

Tiger Scheme: The Tiger Scheme offers three levels of certification: Associate Security Tester (AST), Qualified Security Team Member (QSTM) and Senior Security Tester (SST). The SST has been assessed by CESG and is technically equivalent to CHECK Team Leader and QSTM is technically equivalent to the CHECK Team Member certification. The Tiger Scheme provides a means of independently certifying the skills of vulnerability test (penetration test) engineers, not the company they work for. The SST level examination doesn’t have a specific course to attend and is aimed at experienced penetration testers; however there are some courses available which aim to help gain this certification and there is also the possibility of being mentored by experienced testers.

CHECK: CESG has traditionally provided IT health check services for HMG (Her Majesties Government) and the wider public sector of systems handling protectively marked information. Demand for these services has grown. Therefore, in line with similar CESG initiatives, a special partnership with industry is the most appropriate way of meeting this demand. The IT Health Check Service,

or CHECK, was developed to enhance the availability and quality of the IT health check services that are provided to government in line with HMG policy. Companies belonging to CHECK are measured against high standards set by CESG. Therefore, HMG and CNI (Critical National Infrastructure) customers can be assured that they will receive a high quality service if the work is carried out under the Terms & Conditions of CHECK.

CESG will accept a pass from one of the following examinations when approving CHECK Team leader and Team Member status.

CHECK Team Leader:

CHECK Team Leader (Infrastructure) CREST Infrastructure Certification Examination (www.crest-approved.org) TigerScheme Senior Security Tester (www.tigerscheme.org)

CHECK Team Leader (Web applications)

CREST Web Certification Examination (www.crest-approved.org)

CHECK Team Member:

CHECK Team Member

CREST Registered Tester Examination (www.crest-approved.org) TigerScheme Qualified Security Tester Examination (www.tigerscheme.org)

(from http://www.cesg.gov.uk/products_services/iacs/check/index.shtml)

CHECK membership is controlled by CESG and requires the company to conform to certain policies/procedures and employ one CHECK Team Leader and pay a yearly fee of £7500+VAT in a similar way to how to become a CREST approved company. In all members of the CHECK team must be British nationals (or as a minimum hold dual British nationality) and have resided in the United Kingdom (UK) for 5 years or more, also be able to obtain and hold SC clearance