Only British citizens can be CERT certified so if you don't need it or may miss out on some really good pentesters. On Sep 29, 2015 5:26 PM, "Alex Brooks" <[email protected]> wrote:
> Hello, > > On Mon, Sep 28, 2015 at 8:43 PM, Rich Lewis <[email protected]> > wrote: > <SNIP> > > I wondered if anyone on the list could recommend an organisation to do > > some penetration testing for us. We've used Pen Test Partners in the > > past, and they seemed pretty good to me, but for reasons unknown the > > auditors want us to use someone else this time round. > <SNIP> > > Sometimes, when an ISP reaches a certain public sector customer base > (or becomes so big it forms part of the CNI), the ISP may end up > needing to use an HMG accredited pen tester. However, others can > engage these companies services. These accredited providers, as well > as being approved to pen test systems handling OFFICIAL and (under > supervision) SECRET information, also get access to specialist > briefings covering things like GovCERT alerts, respected > vulnerabilities sources and other support material. > > Even if you only have private sector customers, it is quite easy to > end up transmitting or processing sensitive public sector data; for > example if you provide an encrypted link between two sites for a > company managing payroll for a public sector body. > > A similar scheme accrediting pen tests for the private sector, CREST, > exists and some pen testers are on both lists, including some > mentioned in this thread. > > Although you don't need this level of paper assurance, if you have a > choice of providers and are having difficulty picking, you may wish to > consider using the one on the CHECK list at > https://www.cesg.gov.uk/finda/Pages/CHECKResults.aspx?post=1&sort=name > and the CREST list at > > http://www.crest-approved.org/crest-member-companies/members-supplying-penetration-testing-services/index.html > rather than the one that isn't listed on either. It should certainly > help keep the auditors happy. > > HTH, > > Alex > >
