Quality standards are to be applied to organisations and individuals that offer security penetration testing services, to improve business confidence.

From 1 April, the Council for Registered Ethical Security Testers (Crest) will accredit ethical hackers who perform tests on company networks to see if they are vulnerable to security breaches.

Paul Vlissidis, a member of the Crest operational management committee, says standards are essential for an industry that requires such a high degree of trust.

‘This industry sector has no kitemark,’ he said. ‘Our customers need a bar to allow them to see who comes above it and who comes below it.’

Crest will assess firms and individuals using written and practical exams. Successful accreditations will last for three years before they need to be renewed.

‘Technology and the threat environment are evolving constantly, and our processes need to evolve with them,’ said Paul Docherty, operational management committee member at Crest.

Crest expects that the international nature of its corporate customers will result in the standard becoming internationally recognised within about a year.

Ollie Ross, head of research at The Corporate IT Forum, warns Crest should learn from the mistakes of other standards.

‘An initiative to provide an approved level of quality assurance should be encouraged,’ she said.

‘But the difficulty many users experienced with the recent launch of the Payments Cards Industry (PCI) data security standard demonstrates the need for increased user consultation.’