When selecting a penetration testing provider, CREST accreditation is the most important credential to evaluate. Here's why CREST matters and how Malaysian financial-sector buyers can verify provider capability before signing an assessment.
What is CREST?
CREST (Council of Registered Ethical Security Testers) is an international not-for-profit accreditation body that certifies both individual penetration testers and security companies. Founded in 2006 in the UK, CREST has become the global gold standard for penetration testing.
Why CREST Matters
Rigorous Technical Exams
CREST certifications require passing difficult practical exams that test real-world hacking skills, not just theory.
Ongoing Competence
CREST members must demonstrate continuous professional development and maintain their skills.
Code of Conduct
CREST members are bound by strict ethical guidelines and confidentiality requirements.
Quality Assurance
CREST companies undergo regular audits to ensure their processes meet high standards.
Regulatory Recognition
CREST is recognized by regulators worldwide, including Bank Negara Malaysia for RMiT compliance.
Insurance & Liability
CREST companies must maintain professional indemnity insurance, protecting clients.
Bank Negara's CREST Requirement
Bank Negara Malaysia's Risk Management in Technology (RMiT) framework specifically expects financial institutions to obtain independent, technically competent assurance. CREST-style controls help buyers evaluate:
- Consistent quality across all financial institution assessments
- Testers have demonstrated competence through rigorous examination
- Ethical handling of sensitive financial data
- Professional accountability and recourse mechanisms
RMiT Requirement
Financial institutions should confirm tester credentials, methodology, independence, reporting quality and evidence handling before commissioning a penetration test.
— Practical RMiT procurement checklist
CREST Certifications Explained
CRT (CREST Registered Tester)
Entry-level certification demonstrating core penetration testing skills.
CCT (CREST Certified Tester)
Advanced certification for experienced penetration testers. Available in Infrastructure and Application tracks.
CCSAS (CREST Certified Simulated Attack Specialist)
Expert-level certification for red team operators and advanced adversary simulation.
Choosing a CREST Provider
When selecting a CREST-aligned penetration testing provider, consider:
- Verify their CREST accreditation on the official CREST website
- Check the certifications held by their individual testers
- Review their experience in your industry sector
- Ensure they understand Malaysian regulatory requirements
- Ask for sample reports to assess quality
nCrypt Uses CREST-Aligned Delivery Practices
nCrypt Malaysia scopes penetration testing with CREST-aligned rules of engagement, evidence handling and reporting discipline. We specialize in serving Malaysian financial institutions and understand RMiT requirements.
Request a Penetration Testing Assessment