CREST is a software developed by Rexilience for risk management according to ISO/IEC 27001:2022.

To use CREST, it is necessary to register and wait for user approval from Rexilience

To receive information regarding CREST you can write to: crest@rexilience.eu.

Register CREST
Login CREST

CREST user's guide

1.1. Criteria

As a first step, you will have to access the “Settings” menu and first define the “Criteria”, i.e., the analysis parameters.
“Impact Criteria” and “Probability Criteria” can follow the ISO/IEC 27005:2022 standard or be defined according to your own need (Owners). After the criteria are chosen, the maximum risk level is automatically calculated.

You will then have to define the “Acceptable Risk Level Threshold” value, resulting from the multiplication between minimum acceptable impact and probability and the frequency of risk assessment. It is possible to use the “Vulnerabilities and Threats” model, choosing ISO/IEC 27005:2022, ENISA or Custom as references.

To record the changes you need to press the “Save” button again.
Please note: the settings are valid for subsequent evaluations (see Evaluation menu).

If you change the parameters, the changes will apply only to future assessments, while previous assessments will remain tied to the parameters as defined at the time of their definition.

1.2 Primary assets

To define primary assets, it is first necessary to press the “Add” button.

Each asset consists of a code (unique, alphanumeric) and a textual description. Once filled in, it is necessary to press on the button with the diskette icon “Save“.

As soon as the asset is saved, it is necessary to press on the light blue “Edit” button to enter details about the processes involved, services, and stakeholders. Finally, you can select the associated support assets (one or more); it is recommended to create the support assets first so that they can be associated with the primary assets. Otherwise you can create the primary assets, then the supporting assets and associate them with the primary assets. You can add as many assets as you deem necessary to consider in the risk analysis.

It is possible to edit via the “pencil” button the code and description of the primary assets entered.
It is possible to delete via the “X” button the individual primary assets entered.

1.3 Supporting assets

To define supporting assets, it is necessary to press the “Add” button.

Each asset consists of a name (unique, alphanumeric), a category (Hardware, Software, Network, Production Site, Organizational Structure, People), and a text description. Supporting assets can be related to one or more primary assets.

Once filled in, it is necessary to press on the button with the “Save” diskette icon. You can add as many supporting assets as you deem necessary to consider in the risk analysis.

It is possible to edit via the “pencil” button the support assets entered.
It is possible to delete via the “X” button the individual support assets entered.

The risk assessment can be carried out only after the Criteria, Primary Assets, and any Supporting Assets have been set up.
To begin a Risk Assessment for your company, you must define a risk assessment date and enter a text description.

The assessment inherits the default settings (see ” Criteria” menu). It is based on a process described in the three “tabs”:

  1. Assessment
  2. Treatment plan
  3. SoA (Statement of Applicability)

2.1 Evaluation

In the tabulator “Evaluation” it is necessary to:

  • choose/search among the predefined Assets the one you intend to treat;
  • associate a Vulnerability;
  • perform the assessment of: probability and impact (confidentiality, integrity, availability).

Press on the “Save” button to store the choices.

The resulting color for three calculated criteria of R-I-C (multiplying probability by {confidentiality, integrity and availability}) will be red if higher than the “Acceptable Risk Level Threshold” defined in the criteria; green if less than or equal.

In case at least one of the indicators is red, it is necessary to carry out risk treatment.

By means of the “Treatment” selector button, the R-I-D status after the indicated treatments can be displayed by pressing the button (treatment details).

2.2 Treatment plan

The treatment plan reports the actions necessary to mitigate those controls that have “red” lights in the risk assessment.

The risk reduction percentage helps to redefine the residual risk values.

It is necessary to use the “All to be treated” selector in order to view the assets with risk above the threshold and through the “treatment” button (with “document” icon) access the “Risk Management” mask.

Risk management involves first choosing the control (e.g., “5.37 – Documented operating procedures”) via the window that can be activated with the “Search” function.

The “Justification” field is optional and editable in content.

Implementing control via the binary button (on/off) enables the row in the Statement of Applicability.

Actions, responsible person and completion date allow you to complete the screen.

It is necessary to save via the “Save” button the information.

Warning!
It is important to also save at the “Risk Assessment” level the data so as not to lose what is written in the treatment plan.

2.3 SoA (Statement of Applicability)

The Statement of Applicability allows you to choose the controls that are part of the risk analysis process you intend to develop.

By pressing on the “pencil” icon you can turn a particular control on or off and specifying a justification for your choice.

Controls selected in the treatment plans have the selector switch in the “on” position and the check icon in the next column. Unused controls must have a written justification for not using them.

  1. CREST is a SaaS (Software as a Service) service, usable via Web browser. Data are confidential per individual user and stored on databases in an encrypted workspace and are available only to the user at the specified email address.
  2. In the space at the bottom footer of each CREST screen page, you will find references to Terms and Conditions of Use, as well as Privacy.
  3. The login is “passwordless”, that is, it is done without a password to be created and stored but based on an OTP (one time password) code generated and sent by email. To start working with CREST, simply enter your email with which you registered and wait for the OTP code to be received in your email to be used as a temporary password.
  4. It is recommended to navigate through the menus and interface buttons. Do not use the browser button “Back” or “<-” as you may lose any data you may have just entered.
  5. The work session closes automatically when the browser or the “tab” containing the application is closed. In this case, it is necessary to login again.
  6. For any information or requests, please write to the e-mail address crest@rexilience.eu.

CREST registration

To use CREST, you must register by filling out the following form.
Upon completion of registration you must wait for approval by the Rexilience team.

Once your registration is confirmed, you will receive instructions for logging in via email.

Contact us

If you need further information about our services, please fill in the form below. We will get back to you as soon as possible.