UK Penetration testing accreditation
Accreditation for penetration testing companies and individuals is set to change this year, as two new certifications are now on offer: CREST and Tiger. The long-established and well respected CHECK certification will continue to be offered by CESG.
The CESG CHECK scheme that was launched in 1999 has become accepted as the gold standard within the industry, but despite its high reputation it was only really designed for use on classified government systems and it has suffered from a shortage of fully-qualified members. The end result is that there are not enough CHECK team leaders to satisfy the demand of both government and commercial organisations - currently there are only about 70 team leaders in the country. The CHECK scheme went through a difficult patch in 2006/2007 and although new membership is still currently suspended, it has begun to run its assault courses again for existing member companies.
Both the CREST and Tiger schemes were created to fill this gap, but they are based on very different models. CREST is an industry body with about 25 members, representing most of the UK main security testing organisations, whereas Tiger consists of an operating body run by Vizuri's training arm Qbit Ltd and an examination body run by the University of Glamorgan. CREST offers both company and individual certifications, whereas Tiger focuses only on individual certification. The view within the industry is that there is only room for one of these certifications within the UK, so it is expected that ultimately one of them will become the dominant accreditation standard.
CHECK will undoubtedly remain but, assuming that at least one of CREST or Tiger succeed, it will probably become more government focused and less relevant for commercial organisations. In many ways, this is a good thing as CHECK was never meant to be a commercial accreditation and the limitations of SC clearance and British citizenship are not always relevant for commercial penetration tests.
The new accreditations will also be good news for people wanting to pursue a career in penetration testing, because many people were excluded from the CHECK scheme due to the limitations. The other qualifications such as CISSP and CEH were more tests of baseline knowledge rather than penetration testing ability. This can only be a good thing for the penetration testing industry and companies that require penetration testing as it will increase the volume of qualified testing consultants.