What is CREST?

CREST — the Council of Registered Ethical Security Testers — is an international, not-for-profit accreditation and certification body for the technical security industry. Founded in the United Kingdom, CREST now operates globally with a particularly strong presence across the Asia-Pacific region, including Singapore, Hong Kong, Australia, and the broader ASEAN market.

Unlike vendor-specific certifications such as CEH (EC-Council) or OSCP (OffSec), CREST provides a dual-layer quality assurance model. It accredits organisations at the company level, verifying that the firm has robust methodologies, quality assurance processes, qualified staff, and appropriate professional indemnity insurance. Separately, it certifies individual testers through rigorous practical examinations.

This distinction is important. When a firm claims to be "CREST-accredited," it means the organisation itself has passed a formal audit — not merely that one of its employees holds a CREST individual certification. The organisation-level accreditation is the mark that matters most for procurement decisions, regulatory compliance, and supply chain assurance.

CREST Organisation Accreditation vs Individual Certification

CREST operates two parallel programmes, and understanding the difference is essential when evaluating a penetration testing provider.

Organisation Accreditation

To achieve CREST organisation accreditation, a firm must undergo an independent audit that evaluates its testing methodology, quality assurance framework, staff qualifications, data handling procedures, and professional indemnity insurance coverage. The audit is repeated periodically to ensure continued compliance. This is the mark that clients and regulators look for — it signals that every engagement delivered by the firm meets a verified baseline of quality.

Individual Certification

CREST also certifies individual testers through a tiered examination framework. The key certifications include CPSA (CREST Practitioner Security Analyst), CRT (CREST Registered Tester), CSAM (CREST Simulated Attack Manager), CCT INF (CREST Certified Tester — Infrastructure), and CCT APP (CREST Certified Tester — Application). These are rigorous, hands-on examinations that validate technical competence at progressively higher levels.

While individual certifications demonstrate that specific testers are qualified, the organisation accreditation is what ensures consistency across all engagements — regardless of which individual tester is assigned. Both layers together provide the strongest assurance of quality.

Why CREST Matters When Choosing a Pen Testing Provider

Choosing a penetration testing provider without CREST accreditation introduces several measurable risks that go beyond testing quality.

First, non-CREST penetration test reports may not be accepted by PCI DSS Qualified Security Assessors (QSAs) during compliance validation. PCI DSS Requirement 11.4 mandates that penetration testing be performed by a "qualified internal resource or qualified external third party." While the standard does not explicitly name CREST, many QSAs and acquiring banks interpret "qualified" as holding a recognised accreditation — and CREST is the most widely accepted benchmark.

Second, enterprise procurement teams increasingly require CREST accreditation as a minimum threshold for vendor selection. Government contracts in several Asia-Pacific jurisdictions now include CREST as a preferred or mandatory qualification for security testing providers.

Third, CREST-accredited organisations are bound by a formal code of conduct and must maintain professional indemnity (PI) insurance coverage. This provides contractual protection that non-accredited firms may not offer.

EIC holds CREST organisation accreditation and delivers penetration testing engagements across 7 APAC countries. Every assessment follows CREST methodology and is backed by professional indemnity coverage. Learn more about our CREST pen testing services.

When Regulators Require CREST-Accredited Testing

Several regulatory frameworks across Asia-Pacific either explicitly require or strongly recommend that penetration testing be performed by CREST-accredited organisations.

FrameworkJurisdictionCREST Requirement
PCI DSS 11.4GlobalQualified tester required — CREST widely accepted as benchmark
MAS TRM GuidelinesSingaporeCREST-accredited testing recommended for financial institutions
BNM RMiTMalaysiaQualified external assessor required — CREST recognised
BSP CircularPhilippinesIndependent pen testing with qualified provider expected

The common thread is clear: engaging a non-CREST provider creates compliance risk. Even where CREST is not explicitly mandated, regulators expect organisations to demonstrate that their penetration testing provider is independently qualified. CREST accreditation is the simplest way to satisfy that expectation.

How to Verify a Provider's CREST Status

Verifying a provider's CREST status is straightforward, but it is a step that many organisations skip — often with consequences.

The authoritative directory is maintained by CREST at crest-approved.org. You can search by country, service type, or company name. The directory shows the firm's current accreditation status and the specific services it is accredited to deliver (e.g., penetration testing, vulnerability assessment, incident response).

There are three things to look for when verifying:

  • Current status: Accreditation must be active, not expired or suspended. Check the date.
  • Service scope: Ensure the firm is accredited for the specific service you need — penetration testing accreditation does not automatically cover threat intelligence or incident response.
  • Geographic presence: For on-site testing, confirm the provider can deliver in your jurisdiction with local testers.

Warning: Some firms claim CREST affiliation on their website without holding current accreditation. Always verify directly through the CREST directory before signing a contract. Learn why organisations choose EIC.

CREST Accreditation in Asia-Pacific — The Landscape

The CREST-accredited penetration testing landscape in Asia-Pacific looks significantly different from the UK, EU, or North American markets. There are fewer accredited firms overall, and those that do hold accreditation tend to be concentrated in Singapore and Australia.

This creates practical challenges for organisations based in Southeast Asia, South Asia, or the Pacific Islands. Finding a CREST-accredited provider that can deliver on-site testing, understand local regulatory context, and operate within the same time zone is not always straightforward.

EIC holds CREST organisation accreditation with operational presence across 7 APAC countries — including Singapore, Malaysia, the Philippines, Bangladesh, Nepal, and the broader region. This combination of CREST accreditation and regional depth is relatively uncommon in the Asia-Pacific market.

For organisations evaluating QSA providers alongside penetration testing firms, the guide to choosing a QSA organisation covers similar verification principles applied to PCI DSS assessors.

The bottom line: CREST accreditation is a quality signal that removes guesswork from provider selection. It is not the only factor — industry experience, geographic coverage, and cultural fit all matter — but it is the single most reliable indicator that a penetration testing firm meets an independently verified baseline of competence, methodology, and professional standards. Verify before you sign, and make CREST accreditation a non-negotiable part of your penetration testing procurement process.

CRESTPenetration TestingVAPTAccreditationSecurity Testing