Knox Security Certification Program

Certification Levels

Choose the right certification level for your business.


Annual Re-Certification

Certifications are valid for one year and require re-certification annually to stay certified.


Certifications are technology agnostic.  As your trusted partner we can make valuable recommendations for security process or technology.



Demonstrate to your customers and vendors the security of your company or solution.

Choose the Certification Level Right for You!

Regardless of your information security program maturity, we have certification levels to match.

  • If you’re just getting started, and want to prove security to a prospective customer, check out our Knox Standard Certification.
  • If your information security program is maturing and your organization has implemented more than the basics, get credit for it with the Knox Enhanced Certification.
  • If your company utilizes advanced security techniques, and you want to be able to demonstrate it, consider the Knox Advanced Certification.

Contact us now to get started!

Why Certify?

Our clients choose the Knox Security Certification Program for a variety of reasons, but the top 3 reasons are:

  • Consumer Confidence: The Knox Security Certification helps demonstrate your security posture to your customers and differentiates you from your competition.
  • Reduce time on Vendor Questionnaires: Almost all of our clients have to complete a Vendor Questionnaire now-and-again.  The Knox Security Certification can help to reduce the time spent filling out different questionnaires with the same questions.  We’ll issue you an actual certification you can send directly to the vendor.  Most of our clients say they’ve reduced time spent on questionnaires by 50% with the Knox Security Certification.
  • Internal Confidence: For companies that have been working on building their security muscle the Knox Security Certification is a great way to demonstrate your accomplishments.

Contact us now to get started!

The Knox Security Certification has allowed me to reduce the number of hours spent every week responding to vendor questionnaires.

CISO, Major Insurance Service Provider

Certification Criteria:

Each certification level features a comprehensive set of control criteria and a client must meet all requirements to achieve certification.

Knox Standard

This security certification is for most folks looking to get started and prove a solid security foundation.


Documented Data Inventory and Flows

Documented System and Device Inventory

Documented Approved Software List and Inventory

Established Security Awareness and Training Program

User Identification and Authentication Controls in Place

Malware Protections in Place

Remote Access Controlled

Least Privilege Practiced

Control of Mobile Devices

Vulnerability Scanning Program in Place (45 Day Remediation for Critical Vulnerabilities)

Annual Network Penetration Test Completed (45 Day Remediation for Critical Vulnerabilities)

Annual Web Application Penetration Test Completed (45 Day Remediation for Critical Vulnerabilities)

Knox Enhanced

A certification for organizations looking for all of the Knox Standard and looking to showcase their external protections.

All of the Knox Standard, plus:

Perimeter Defense (incl. IDS/IPS) Established

Secure SDLC (Software Development Lifecycle) Practiced

Assesses Security of Third Party Partners/Suppliers

Logging and Monitoring Solution in Place

Commercially Reasonable Encryption Standards and is Implemented

Enhanced Vulnerability Management Program (Continuous Monitoring)

Patch Management Program in place

Hardening Standards for Servers and Workstations

Identity and Access Management Program in place

Network Traffic Filtering solution is in place

Device Sanitation Policy and Process is established

Self-Assessment Completed between Certification Assessments

Vulnerability Scanning Program in Place (30 Day Remediation for Critical Vulnerabilities)

Annual Network Penetration Test Completed (30 Day Remediation for Critical Vulnerabilities)

Annual Web Application Penetration Test Completed (30 Day Remediation for Critical Vulnerabilities)

Knox Advanced

A certification for organizations also looking to showcase their continuous monitoring and threat hunting capabilities.

All of the Knox Standard & Knox Enhanced, plus:

Application Control Software Deployed

Proactive Threat Hunting Tools and Process in place

Information Security Committee and Charter Developed and Practiced

Fully Documented Incident Response Plan

Web Application Firewall (WAF) in place

Data Loss Prevention (DLP) or Similar Solution  in place

Frequently Asked Questions about Certification:

1. How long does it take to receive our certificate? 

It depends on certification level you want, size of your organization, and scope of the environment we are assessing.  Smaller certification assessments can be completed in as little as 2 weeks; some of our larger assessments (large organization with large scope) have taken 8 weeks to deliver.

2. I want to certify but I’m not quite ready–can you help me get ready? 

Absolutely.  We offer readiness reviews/assessments for organizations that want to certify but may not be quite ready.  This results in a list of remediation items to fix before we begin the official assessment, as well as guidance on potential best ways to get there.

3. What happens if we fail the assessment? 

We give customers 30 days to fix any outstanding items and prove that a process to maintain security hygiene is in place.

4. Why would I want to certify? Companies certify for a variety of reasons:

  • Develops Consumer Confidence – This certification will help to prove to your current and prospective customers and partners that you’ve taken efforts to improve your security posture and it’s been independently validated.
  • Proves Security to Auditors – Many companies are asked to complete vendor questionnaires or answer to security auditors.  This certification helps to shorten the response time of those audits.
  • Company Internal Credibility – For many of our customers trying to certify against a benchmark can prove to internal leadership that their investment in security is paying off.

5. Can you assist with remediation?

Yes. We want to be your trusted security partner.  When you succeed, so do we.

6. I have had another vendor do my penetration testing, can I use that toward the certification?

Maybe.  But here’s what we’re looking for to include a third-party test:

  •  Penetration testing completed within 30 days prior to the start of the credentialing effort.  (Because remediation efforts might need to take place).
  • Penetration testing needs to be an actual penetration test covering areas such as business logic abuse and access model testing.  A penetration test is not a vulnerability scan.  If you’re looking for more details, check out this blog post:
  • The test effort needs to be comprehensive following a guideline such as NIST 800-115.

Looking for more information? Start here:

Pin It on Pinterest