Penetration Testing · Learn

CREST vs CERT-In.

Two of the most-asked-for pentest credentials, especially when auditors or large customers are involved. They look similar in marketing materials. They are different organisations, different schemes, and the right one for you depends on where you are and what you need to satisfy.

Penetration Testing · LearnCERT-In VAPT
TL;DR

CREST and CERT-In are both stamps of approval for penetration testing, but they come from different places and mean different things. CREST is a global non-profit. It checks that a testing firm and its testers meet a set standard, and the worldwide market trusts its mark. CERT-In is part of the Indian government. It approves the auditors who are allowed to sign off on security for Indian companies under Indian law. If you sell to global customers, you usually want CREST. If you have to satisfy an Indian regulator, you need CERT-In. Many top firms, SecureLayer7 included, hold both.

By Shubham Khandare, Delivery Manager, SecureLayer7Updated

What is CREST?

CREST is the Council of Registered Ethical Security Testers. A UK-based international non-profit that accredits two things:

  • Companies. A CREST-accredited member company has passed an audit of its processes, quality systems, and code of conduct.
  • Individuals. CREST-certified testers have passed technical examinations in specific disciplines (web app, infrastructure, simulated attack, threat intelligence, vulnerability assessment, and others).

CREST accreditation is widely recognised in the UK, Europe, Australia, the Middle East, Singapore, and Hong Kong. The UK financial regulator's CBEST scheme requires CREST-accredited providers. Many large enterprises and government customers require CREST in procurement.

What is CERT-In?

CERT-In is the Indian Computer Emergency Response Team. It is the national cybersecurity agency, part of the Ministry of Electronics and Information Technology (MeitY).

CERT-In keeps an official list of approved security auditors. The word for being on that list is 'empanelled'. To get on it, a firm has to apply, prove it can do the work, pass an evaluation, and keep reporting to CERT-In over time. Once a firm is on the list, it is allowed to run security audits for Indian companies that the law requires to use an approved auditor.

You need a CERT-In-empanelled firm if you are:

  • A bank, financial firm, or insurer regulated by the RBI, IRDAI, or SEBI
  • Running Critical Information Infrastructure (a category defined in India's IT Act)
  • A government department or public-sector company
  • Covered by MeitY's IT Rules
  • A large Indian company whose own policy asks for it

How do they differ in practice?

  • Who runs it. CREST is a private non-profit. CERT-In is a government body.
  • Where it counts. CREST is trusted across the UK, EU, Middle East, Australia, and parts of Asia. CERT-In counts in India.
  • What it vouches for. CREST vouches that the firm and its testers meet a set technical and quality standard. CERT-In vouches that the firm is allowed to run the audits Indian law requires.
  • Who asks for it. Global customers, UK and EU regulators, and large enterprises ask for CREST. Indian regulators, government buyers, and large Indian companies ask for CERT-In.
  • What the work looks like. A CREST job follows the methodology and scope you agree with the tester. A CERT-In audit follows a fixed framework for your sector (for example, the RBI's rules for banks) and produces a set report you file with the regulator.

Which one should you ask for?

Depends on what you need to satisfy:

  • International compliance or large enterprise procurement. Ask for CREST. A CREST-accredited provider is the default credential the global market understands.
  • Indian regulatory obligation. Ask for CERT-In empanelment. RBI, SEBI, and CII obligations require it.
  • Both global and Indian operations. Choose a provider that holds both. The same engagement can satisfy both kinds of customer if scoped correctly.
  • No specific compliance obligation, just technical assurance. Either credential is a useful signal of process maturity. CREST is the more globally recognised one when the buyer has no specific framework requirement.

Common misconceptions

  • CREST and CERT-In are not interchangeable. Some providers list both with similar weight in marketing. A CREST report does not satisfy a CERT-In regulatory obligation, and a CERT-In report from an unaccredited individual does not satisfy a CREST procurement requirement.
  • CREST 'accredited' vs 'registered' is not the same thing. CREST accredits companies and certifies individuals at different levels (Practitioner, Registered, Certified). A 'CREST tester' could mean any of these. Verify the level when it matters.
  • CERT-In empanelment is not a one-time event. Empanelled firms re-apply periodically and are subject to ongoing reporting and review. Verify the firm is currently empanelled, not just was once.
  • OSCP, CEH, and similar individual certifications are not equivalent to CREST or CERT-In. OSCP is a strong individual skills credential. CEH is widely held. Neither replaces an organisational accreditation when the requirement is procurement or compliance.

References

  1. [1]CREST International(CREST)
  2. [2]CERT-In Empanelment of Information Security Auditors(CERT-In, MeitY)
  3. [3]RBI Cyber Security Framework for Banks(Reserve Bank of India)
  4. [4]Bank of England CBEST(Bank of England)
Related terms

Common questions

CREST vs CERT-In, asked often

Need a CREST + CERT-In engagement scoped?

Engage SecureLayer7

Scope a CREST or CERT-In engagement.

We hold both credentials and run engagements that satisfy global enterprise procurement and Indian regulatory obligations from a single scope.

See CERT-In VAPT30-min scoping call, fixed-price proposal in 48 hours.