CREST releases Defensible Penetration Test specs

Cyber security membership organisation, CREST, has announced the release of its Defensible Penetration Test, a specification that provides recommendations on how penetration tests should be scoped, delivered and signed off.

Developed alongside recognised industry and peer-selected experts to define a minimum set of expectations, the specification responds to significant growth in the numbers of penetration tests being carried out globally.

“A CREST Defensible Penetration Test provides flexibility built around a minimum set of expectations that will drive better outcomes for buyers across the globe,” said Rowland Johnson, CREST president. ”It provides the industry with a much needed commercially defensible assurance activity that is appropriately scoped, executed and signed off.”

The definitions, practices and expectations associated with a penetration test are inconsistent and fluid. This makes it difficult to define or parameterise a series of activities that looks at all possible requirements, engagements or scenarios. For example, a penetration test may need to assess a mobile phone at one end of the spectrum or an aircraft carrier at the other.

    Share Story:


Cyber risk in the transportation industry
The connected nature of the transport and logistics industries makes them an attractive target for hackers, with potentially disruptive and costly consequences. Between June 2020 and June 2021, the transportation industry saw an 186% increase in weekly ransomware attacks. At the same time, regulations and cyber security standards are lacking – creating weak postures across the board. This podcast explores the key risks. Published April 2022.

Political risk: A fresh perspective
CIR’s editor, Deborah Ritchie speaks with head of PCS at Verisk, Tom Johansmeyer about the confluence of political, nat cat and pandemic risks in a world that is becoming an increasingly risky place in which to do business. Published February 2022.