Navigating the Complexity of Cybersecurity Standards and Frameworks

All of us understands the critical need for robust frameworks to ensure the highest quality of delivery for our clients. In this increasingly complex digital landscape, numerous frameworks have emerged, but they serve very different purposes.

Among these frameworks, CREST stands out as it specifically focuses on the quality of cyber service providers, as opposed to frameworks that help deliver cyber services (e.g. NIST NICE). In this analysis, we'll delve into the similarities and differences between CREST and other prominent cybersecurity frameworks.

Understanding CREST's model:

CREST is renowned for its emphasis on driving consistent global standards and quality assuring both companies and individuals. Key services it focuses on include penetration testing, incident response, SOC, threat intelligence and red teaming. It is structured around industry best practices and is widely recognized around the world for its rigorous accreditation and certification programs. CREST certifications validate the expertise and professionalism of cybersecurity practitioners, ensuring that they adhere to the highest standards in ethical hacking and other related cyber disciplines. It is of particular benefit to national regulators and buyers of cyber services, both of whom need the independent assurance of service providers that CREST offers.

One of CREST's key strengths lies in its high, consistently applied standards. This is combined by an ethos of support, helping organisations through the process and encouraging learning. This structured approach helps organizations improve their service offering, documenting processes and building a highly skilled and competent workforce.

Comparing with Other Frameworks:

Other international frameworks generally focus on particular technical dimensions of cyber security, rather than the organisations that offer those services to clients. The following are examples of such frameworks:

NIST Cybersecurity Framework (CSF): Developed by the National Institute of Standards and Technology (NIST), CSF provides a comprehensive framework for improving cybersecurity posture across various sectors. CSF offers a broad perspective, encompassing risk management, incident response, and governance alongside technical aspects.

OWASP Top 10: The Open Web Application Security Project (OWASP) publishes the Top 10 list, highlighting the most critical web application security risks. OWASP Top 10 specifically addresses vulnerabilities prevalent in web applications and serves as a reference point for developers and security professionals to prioritize and mitigate web application vulnerabilities.

MITRE ATT&CK Framework: MITRE ATT&CK Framework offers a detailed matrix of adversary tactics, techniques, and procedures (TTPs) based on real-world observations. It focuses on understanding and countering adversarial tactics, enabling organizations to better detect, respond to, and recover from cyber threats.

Synergies:

The intersection point between these very different frameworks is key. All businesses can use the technical frameworks above to strengthen their cyber security posture. Cyber service providers can then use these frameworks as the basis of constructing service offerings in line with international best practice as well as assuring and testing businesses that adhere to such frameworks. Bringing these things together, buyers of services should ensure their service provider is CREST accredited to be confident in using a professional, skilled and competent provider.