On Tue, 2015-09-29 at 16:24 +0100, Alex Brooks wrote: > Although you don't need this level of paper assurance, if you have a > choice of providers and are having difficulty picking, you may wish > to > consider using the one on the CHECK list at > https://www.cesg.gov.uk/finda/Pages/CHECKResults.aspx?post=1&sort=nam > e > and the CREST list at > http://www.crest-approved.org/crest-member-companies/members-supplyin > g-penetration-testing-services/index.html > rather than the one that isn't listed on either. It should certainly > help keep the auditors happy. >
You're not giving the full picture here... CHECK (the government scheme) is only open to British citizens (https://www.cesg.gov.uk/servi cecatalogue/service_assurance/CHECK/Pages/Fundamental-Principles.aspx). To do CHECK work, you need to have a security clearance, work for a CHECK approved (green light company) and hold a certification that's recognized by CESG. There are three private schemes that deliver certifications that are recognized by CHECK as equivalent (see https://www.cesg.gov.uk/servicec atalogue/service_assurance/CHECK/Pages/What-is-CHECK.aspx). These are CREST (www.crest-approved.org), Tigerscheme (www.tigerscheme.org) and Cyberscheme (www.thecyberscheme.com). These certifications are for individuals (the boots on the ground, what matters)... On the other hand, the "green light" is a company thing... that's only required if you intend on doing a CHECK test. In practice, unless you're required to do a CHECK test, you don't want one. It's probably a good idea to ensure that the tester you get holds a valid certification allowing him to do CHECK work... but you don't want a CHECK test. It will add cost and be inappropriate: The schemes are tailored towards what the government needs/uses (old tech, different security models). They have (or should!) proper asset inventories, document classification schemes, ... do you? I hope the above helps. Regards, Florent PS: I used to sit on the technical board of one of those schemes... and do hold a CTL-equivalent cert... but have never done a CHECK test.
