To provide support to the selection process for IT security service providers, the BSI, as a neutral government office, has developed a certification process for IT security service providers. The IT security service providers commissioned with these tasks must be reliable and independent, and must offer a high-quality, technically competent service. The goal of IT security service provider certification is therefore to provide assurances as to their trustworthiness and competencies. The basis of any professional service is qualified and competent employees.

Since penetration tests must be matched to the individual situation in the organisation being tested, their standardisation is necessarily limited in scope. Accordingly, a penetration test can only be executed according to a preordained structure to a certain degree. Penetration tests should therefore be performed by experts who can draw on long experience in the field of IT security and who maintain a dedicated penetration testing unit.