Skip to the content

CESG drops penetration testing certification


Cites low demand from people with skills in the cyber defence role

The Government’s information security body has dropped its certification for penetration testing, a key role in keeping up the defences against cyber attacks.

CESG, the National Technical Authority for Information Assurance, said it has stopped accepting applications and will remove the role from its certification for IA professionals at the next review.

It cited a low number of applications as being at the root of the decision, and said there has been a perception that any benefit from certification was not matched by the cost and effort involved.

The other certification bodies – APM Group, BCS – The Chartered Institute for IT, and the Institute of Information Security Professionals – are also withdrawing from the certification process.

Penetration testing involves gathering information about a computer system or web application to identify possible entry points, then attempting to break in and reporting back on the findings. It is one of the key features of an organisations cyber defences, and the CESG decision suggests that demand is sufficiently strong for people with the relevant skills to find plenty of clients without the certification.

The agency said it is not completely retreating from the field, acknowledging the importance of the service to clients of the testers.

“We also realise that clients will need to differentiate between testers with deep technical expertise and those with a broad skill set, who can advise on an appropriate business response to identified vulnerabilities,” it said. 

“Therefore we are considering how to distinguish between these skill sets as part of the broader industry schemes review currently underway.”

Certification for the role was introduced in 2014.

Image from iStock

Register For Alerts

Keep informed - Get the latest news about the use of technology, digital & data for the public good in your inbox from UKAuthority.