Compass Security Switzerland and Germany is CREST* certified for its penetration testing service since June 2023. The certification proves our high level of quality and service in this area.

Fabio Poloni, Regional Manager Basel, has internally managed the accreditation process and has taken care of the comprehensive requirements in 4 main areas:

• Company operating procedures and standards
• Personnel security and development
• Approach to testing and response
• Data security

We asked him some questions about the process.

Fabio, why did Compass Security get certified?

«Compass Security has grown. We now employ over 50 penetration testers in Switzerland and Germany. The internal processes that strongly influence the quality of our work on customer orders have also grown. We wanted to align these processes with the globally known CREST standard. Are we on the right track? Where do we still need to adjust?

In addition, potential customers are looking for partners who meet certain standards, speak the "same language" and meet their service quality requirements. The quality of our penetration tests can only be tested in advance to a limited extent. In German-speaking countries, for example, we benefit from our name recognition and customer recommendations, whereas we are less well known in the international arena. CREST certification provides an indication of the professionalism of our services. For existing customers, it is a further confirmation that we handle their projects with great professional competence.»
 

How did the accreditation process work?

«Many areas were examined, always focusing on the aspect of information security. For example, we had to describe our recruitment and training processes for security analysts. We had to explain how we conduct research or how we secure the infrastructure that our analysts use for testing. Most issues were about working on the customer project. Do the contract documents cover all the important points, for example, legal protection and the handling of customer data? Do we communicate clearly and transparently? How do we work with the customer's security team? Do we clearly define the scope? How do we assess vulnerabilities?

We had to explain processes and procedures and present documents. In the course of the work, we realized that we were doing a lot of things right and that the required processes were already being put into practice. Therefore, the main work for me was to put everything down on paper in a structured way. A great deal of work! - but that is always better than the other way around.»
 

How did CREST draw attention to points for improvement?

«CREST makes clear recommendations for improvement. For example, we did not have a formal complaints management system. We consider ourselves lucky that we receive hardly any complaints. However, we have of course discussed internal and external suggestions for improving performance and incorporated them wherever possible - simply without a standardized process.»
 

And what happens next?

«We lean back and put our feet up!

All jokes aside… We want to constantly improve and keep the quality of our work high. For example, we are fine-tuning the on-boarding process for new employees. Several departments are involved here, and they need to be well coordinated. We are also constantly reviewing the quality of reports for our customers. And the complaints management system also needs to be introduced.»

Thank you for the insights, Fabio. Good luck!

* CREST = Council of Registered Ethical Security Tester / https://www.crest-approved.org/

>> Membership Page

>> Certificate (PDF)