CREST, a not-for-profit accreditation and certification body representing the technical information security industry, today announced a new remote audit facility for its SOC (Security Operations Center) Accreditation. Reducing the need for travel and helping to ensure more timely and effective audits, the new remote audit capability provides an alternative to on-site audits and will meet the increased International demand for SOC Accreditation, without compromising the high CREST standards.
CREST’s SOC Accreditation is available for both service providers and internal SOCs and was developed with extensive input from CREST members and the wider industry to provide an internationally recognized and independent validation of the SOC. Accreditation demonstrates a high level of assurance and trust. Since its launch at the end of 2017, the CREST SOC Accreditation has seen a significant increase in demand.
CREST has a detailed and comprehensive SOC Assessment Criteria that looks at six key areas of a SOC: Organizational Environment; Customer Requirements; Technology and Tools; Event Analysis; Threat Intelligence & Situational Awareness; and Protecting the SOC. The first stage to accreditation involves completing the application via the CREST Membership Portal, which will ask questions about processes, policies and methodologies. The second stage is the detailed audit conducted by a qualified auditor within six months of the application.
“Even before the pandemic and the additional travel constraints it has brought, high levels of international demand for SOC Accreditation meant we needed to look for a more accessible, flexible and efficient approach to speed up the audit process,” explains Samantha Alexander, Principal Accreditor at CREST. “But we needed to ensure that any solution didn’t impact the very high standards of the audit itself. This remote capability allows the CREST audit team to review documentation, conduct interviews and site tours with the same rigor and attention to detail as an onsite visit.”
CREST will discuss the process with the organization’s SOC team in advance to ensure that all SOC criteria are covered and technology requirements are reviewed to deliver an effective audit. The audit will start with a review of documentation and records, observations of processes and methodologies, interviews with the SOC staff and a remote video tour of the SOC environment. All data and evidence will be noted and included in the final audit report, held under a CREST NDA. More information is available by visiting https://www.crest-approved.org/applying-for-soc-accreditation.