May 23, 2019

Last Updated on May 23, 2019

We recently had a client ask us about how CREST and SANS compare. This post strives to answer that question in a “quick but thorough” manner.
CREST and SANS are both prominent official bodies serving the information security industry worldwide, and both offer information security attestations or certifications. However, they serve different needs and purposes overall.

View our free cybersecurity resources »

Comparing CREST and SANS Information Security Certifications

What is SANS Institute?

The SANS Institute is a for-profit company that provides widely respected information security research, training and certificates. It focuses on courses and materials that attest to individuals’ skills and knowledge and does not function as a third-party attestation body for organizations. SANS certifies security specialists who complete coursework and examinations to attest to their understanding of current standards and practices in the InfoSec field.
While SANS does have a best-practice approach for each one of its certifications, and professionals seeking SANS certification must understand these practices, the scope of SANS testing is often written only; it doesn’t include practical application. Similarly, it is rarely a requirement for a security professional to explicitly follow SANS practices and methodology.

What is CREST?

Nonprofit CREST goes a step further than SANS in the scope of its testing and certifications. Standardized, proven practices and reporting requirements are “part and parcel” of the CREST certification process, and are both verified and enforced at the level of business practice and methodology. CREST certified practitioners must also adhere to the applicable CREST standards and methods for their practice area(s). For Pivot Point Security to perform CREST approved network assessments and penetration tests, both our testers and our standardized testing methodology must be CREST approved and certified.
I hope the above comparison sheds light on how CREST and SANS relate and differ, and that it helps our blog readers evaluate third-party offerings.
To speak with a CREST-certified testing expert about your needs for network security and attestation, contact Pivot Point.

Is a penetration test really the service you need?

Without good Asset, Patch & Vulnerability management in place, a network penetration test could be a big waste of time and money.
Download the free inforgaphic now!