Ian Glover, president of infosec accreditation body CREST, is stepping down from his post, he told the organisation’s annual general meeting yesterday.

Sources whispered of Glover’s departure to The Register ahead of a mass mailout today to members of the organisation, which oversees some industry-recognised penetration testing exams and certifications in the UK.

“My retirement is something I have been planning for some time and, while I leave with a heavy heart, I am confident CREST will continue to move forward in the hands of an excellent team,” said the man himself in a canned statement emailed round CREST member organisations, following his 13 years at the helm.

CREST had not responded to The Register‘s request to interview Glover by the time of writing. He will remain in post for another three months.

Glover was president of CREST when the exam-cheating scandal broke last year. A major CREST backer, pentesting firm NCC Group, had been creating cheat-sheets and walkthroughs for CREST certification exams.

Numerous ex-NCC sources told The Register of an internal culture where exam candidates were shown marked copies of past papers, in apparent breach of CREST’s non-disclosure agreement. Unlike school exams where past papers are freely circulated, CREST was supposed to rigidly control all of its exam materials to prevent their public disclosure at any stage. One source told us at the time: “The content of the exams and syllabus is intentionally extremely vague and under heavy NDA.”

People who worked hard to pass their CREST exams expressed disgust to El Reg that a significant backer of the industry body appeared to be spoon-feeding its staff the answers, raising questions about the exams’ integrity and the competence of people who ultimately sign off clients’ crown jewels as secure. Those clients include the British government and critical national infrastructure operators.

Rob Dartnall, chairman of CREST,…