CREST Incident Response Maturity Assessment

CREST Incident Response Maturity Assessment

CREST is an international not-for-profit accreditation and certification body that represents and supports the technical information security market. CREST’s mission is to help establish best-practice guidelines and standards for the global security industry. In addition, it provides educational and assessment-oriented materials to help non-security entities, procure security services and assets from an informed position. The CREST Incident Response Maturity Assessment was developed to help organizations determine their capacity and readiness to deal with security incidents.

Along with the model, CREST has released a tool in the form of a spreadsheet that organizations can use to carry out this assessment. Maturity is scored on a 5-point scale with 1 being the least effective and 5 being the most effective. The 5 maturity levels are:

  • Foundation
  • Emerging
  • Established
  • Dynamic
  • Optimized

The point of this tool is to make it as easy as possible for various organizations to assess their incident response maturity. However, in the face of an increasingly varied and dangerous threat landscape, you can’t be too careful. Partnering with a professional, trusted security solutions provider, such as LIFARS, is the best way to ascertain your comprehensive information security, risk, and compliance status according to top industry standards such as SIM3 and CREST.


LIFAR’s Gap Assessment not only determines your current state along with your risk appetite and tolerance, but we also provide you with an actionable roadmap to reach target maturity level including strategy, structure, governance, and operations management plan.


Let’s look at how the CREST Incident Response Maturity Assessment works and how you can apply it to your organization:

The 5 phases of the CREST Incident Maturity Assessment process

cyber security incident graphic

As you can see, Phase 1 is all about preparing for a smooth and effective response to security incidents. This is achieved via a process of information gathering. It involves conducting a proactive critical assessment of your company’s readiness to face security threats according to your most critical or sensitive resources that you want to protect as well as the most likely threats your organization will face.

You need to prepare your organization across the board, taking a broad view across your SecOps people, technologies, and information. Having conducted a risk assessment using a framework such as NIST SP 800-30 will make this step much easier.

Phase 2 covers how your organization handles an actual security incident as it is happening. Following a typical incident response plan, it kicks off with identifying an IoC (an indicator of compromise), investigating the situation, taking the appropriate action, and recovering your systems to continue business operations.

Finally, Phase 3 covers an area even security professionals often forget about, and that is post-incident forensics and documentation. This step can be crucial to ensure good governance and compliance, especially in highly security-regulated industries such as healthcare. It’s also critical that you thoroughly investigate and document incidents. By doing so, you can make more informed security decisions in the future. For example, you may want to determine:

  • Where did the threat originate from?
  • What exploit/vulnerability led to the first compromise of your systems?
  • How did the infection/intrusion spread laterally through your network?
  • What are the artifacts, IoCs you can use to identify the same threat sooner in the future?
  • Which systems, resources, etc. did it target? How much damage did it do?
  • How can you improve your response to this exact incident?

The MITRE ATT&CK framework can be useful for carrying out and this type of investigation and classifying threats.

How to carry out a CREST Incident Response Maturity Assessment?

Using the tool is fairly easy if you have someone in your organization with knowledge of the SecOps landscape within your organization.

Start by generating a profile for the assessment. It should be based on the security area you want to assess, the scope of the assessment, and key components.

Set your target maturity level for each of the steps of the CREST incident response model (based on the 5-point scale mentioned above).

Next, you can further apply priority weighting to individual factors that each step of the process consists of.


With LIFARS on retainer, as the initial step, incident response readiness assessment based on the CREST Maturity Assessment model will be performed to get intimate understanding of your security posture for more effective incident response.


You will then need to answer questions relating to your current readiness according to these factors. This assessment is broken up according to the 3 main phases of the incident response model.

Finally, the tool will automatically calculate your readiness according to the weightings you provided and your answers to the readiness assessment questionnaire.


Organizations often don’t know where to begin when it comes to establishing their readiness to face security threats. Luckily, there are organizations out there with the goal educate and guide organizations to be more security savvy. The CREST Incident Response Maturity Assessment is just one such example. You can get an even more accurate and comprehensive understanding of your readiness, threat profile, risk tolerance, etc. by combining this assessment with other standards and practices.

This assumes you have some of the required SecOps expertise and foreknowledge within your organization. However, if you do not not, or if you just want a more comprehensive incident response readiness audit, working with a professional security solutions and services provider is the way to go.





Cyber Security Incident Response Maturity Assessment

CREST Maturity Assessment Tool