SecurityBrief Canada - Technology news for CISOs & cybersecurity decision-makers
Canada

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Secure building progressive lighting shields network background illustration
#
DevOps
#
APM
#
Risk & Compliance

CREST launches staged programme to guide firms to full cyber accreditation

Fri, 25th Jul 2025
Author image
By Catherine Knowles, Journalist

CREST has introduced a staged pathway designed to support organisations on the route towards its globally recognised cybersecurity accreditation.

The new process includes two distinct stages, known as Pathway and Pathway+, which offer organisations structured progress milestones before achieving full CREST accreditation. These stages are targeted at businesses that aspire to meet high standards in cyber security but may require additional resources and guidance to reach that level.

Accreditation pathway

Through the Pathway programme, organisations enter the CREST community where they can access resources aimed at helping them work towards full accreditation. This includes staying up to date on cybersecurity developments, joining relevant communities, and familiarising themselves with the requirements of CREST standards.

The Pathway+ designation goes further by providing a toolset that allows organisations to self-assess against CREST's accreditation standards. This helps them identify strengths and areas where further development is needed, and may offer opportunities for mentoring from existing CREST members and access to government funded development initiatives in some regions.

To join the Pathway, companies provide essential information and agree to follow the CREST Code of Conduct. Advancement to Pathway+ requires a self-assessment against relevant organisational standards and at least one CREST cybersecurity service area.

Jonathan Armstrong, Head of Product at CREST, explained the rationale behind the staged approach. He stated, "The importance of working with a trusted and capable cybersecurity service provider cannot be overstated. With millions of pounds at risk, whether through regulatory fines, extortion, business disruption, or lost revenue, cybersecurity is simply too critical to be left to chance with inconsistent or unrecognised vendors."

Armstrong continued, "CREST provides assurance and elevates professionalism in the cybersecurity sector. Buyers can be confident when buying services from a CREST member company that they are being supported by a company which has been assessed against the most stringent standards available globally in their areas of technical competence. Pathway and Pathway+ are the latest additions to our framework, designed specifically for organisations that are committed to accreditation but may not yet meet the full criteria, or are actively working to demonstrate their readiness."

Armstrong added, "These programmes offer a structured pathway for progression, enabling organisations to showcase their commitment to high standards while developing the capabilities needed for full CREST accreditation. In doing so, they gain access to tools and guidance that enhance service quality, accelerate their journey toward membership, and contribute to our shared mission of building trust and strengthening the global cybersecurity ecosystem."

Timelines and expectations

The framework specifies target timelines for moving through the stages. Pathway+ participants are expected to aim for full accreditation within two years, while organisations starting with Pathway have up to four years to achieve the same milestone. This structure is intended to support organisations' service development while maintaining a clear standard of progression.

Full CREST accreditation, once achieved, includes a robust and independent evaluation of an organisation's services, security processes, staff competence, and governance structures. CREST-accredited status is promoted as a trustmark that signals to service buyers that providers adhere to consistent and rigorously tested standards.

Service reliability

The new Pathway stages are expected to help standardise the quality of cybersecurity service delivery, particularly in areas such as penetration testing, threat intelligence, red teaming, security operations, and incident response. CREST states this consistency enables "meaningful year-on-year comparisons" for buyers and helps promote transparency and trust across the industry.

By opening up these stages to organisations at an earlier point in their development, CREST aims to increase both capacity and capability across the cyber security sector internationally. The process is positioned to support the gradual maturation of security firms while increasing confidence in the market's ability to deliver secure, reliable services.

Organisations recognised under the Pathway and Pathway+ models do not attain official accreditation immediately, but instead signal a commitment to progress and responsible practice in cyber security. For buyers, working with a CREST-accredited provider signals that the services are delivered by professionals with appropriate and up-to-date training, having been assessed against industry standards that are recognised internationally.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
ManageEngine AD360 adds identity risk & MFA to combat breaches
Siren & Flashpoint partner to boost intelligence investigations
60% of enterprise firewalls fail initial compliance - study
Tenable boosts vulnerability priority rating with advanced AI
Microsoft SharePoint zero-day flaw prompts urgent global response

Top stories

Lab 1 report reveals unstructured data heightens breach risks
Your employees are using AI. Where’s your policy?
Global ransomware attacks drop 43% but threats evolve quickly
Criterion & Trackforce launch unified payroll solution for security
Digital attack surfaces expand as key exposures & risks double