Becoming a Certifying Body
A Certifying Body is a company that has been accredited by an Accreditation Body, such as CREST, to assess and certify organisations under the Cyber Essentials scheme. A company can only become a Certifying Body under CREST if it becomes a member and meets our stringent requirements which include access to one or more individuals that hold the required Cyber Essentials assessors' qualifications. To join CREST, companies need to have:
- Demonstrated appropriate levels of quality assurance processes, security controls, security assessment methodologies and met additional qualification criteria
- Signed a Code of Conduct
- Proven access to technically competent and qualified staff
- Committed to adhering to the requirements of Certification Bodies for Cyber Essentials.
CREST member companies that offer Cyber Essentials services have gone through a supplementary company assessment that meets the contractual obligations of this scheme. Additionally, CREST requires that the scanning solutions in use for vulnerability scanning to meet certain minimum requirements and this is validated by each company performing a Cyber Essentials style test against a CREST Assault Course that is internet visible followed by the production of a Cyber Essentials report using normal procedures, reporting formats and so forth.
Organisations that are considering becoming a Certifying Body under CREST should contact us to start the process which begins with the signing of a mutual NDA to allow the membership application form to be released. The application form outlines the Cyber Essentials testing criteria that must be met. Upon successful accreditation to CREST as a Certifying Body, an organisation will be given access to information covering:
- The tests to be undertaken
- The content of test reports
- Guidance on the functionality for some common tools
- The criteria for granting certification
- The content of certificates
All of the CREST documents used to run practical Cyber Essentials assessments are based on the CESG specification. To better understand the requirements of a Cyber Essentials Certifying Body, further information can be found on the following links: