Becoming a Certifying Body
A Certifying Body is a company that has been accredited by an Accreditation Body, such as CREST, to assess and certify organisations under the Cyber Essentials scheme. A company can only become a Certifying Body under CREST if it becomes a member and meets our stringent requirements which include access to one or more individuals that hold the required Cyber Essentials assessors' qualifications. To join CREST, companies need to have:
- Demonstrated appropriate levels of quality assurance processes, security controls, security assessment methodologies and met additional qualification criteria;
- Signed an enforceable CREST Code of Conduct;
- Proven access to technically competent and appropriately qualified staff;
- Committed to adhering to the requirements of Certification Bodies for the Cyber Essentials Standard.
CREST member companies that offer Cyber Essentials services have gone through a supplementary company assessment that ensure they meet the contractual obligations of this Scheme. Additionally, CREST requires that the scanning solutions in use for vulnerability scanning to meet certain minimum requirements and this is validated by each company performing a Cyber Essentials style test against a CREST Assault Course that is internet visible, followed by the production of a Cyber Essentials report using normal procedures, reporting formats and so forth.
Organisations that are considering becoming a Certifying Body under CREST should contact us to start the process which begins with the signing of a mutual NDA to allow the membership application form to be released. The application form outlines the Cyber Essentials testing criteria that must be met. Upon successful accreditation to CREST as a Certifying Body, an organisation will be given access to information covering:
- The tests to be undertaken
- The content of test reports
- Guidance on the functionality for some common tools
- The criteria for granting certification
- The content of certificates
All of the CREST documents used to run practical Cyber Essentials assessments are based on the NCSC specification.