NCSC (Penetration Testing)

The UK National Technical Authority for Information Assurance, the National Cyber Security Centre (NCSC, formerly CESG) is part of GCHQ and traditionally provided IT health check services to identify vulnerabilities in IT systems and networks which may compromise the confidentiality, integrity or availability of information held on that IT system for HMG and the wider public sector of systems handling protectively marked information.  The IT Health Check Service (CHECK) was devised to supplement information assurance services provided by the NCSC and demand for these services has grown.

In line with similar NCSC initiatives, a special partnership with industry was deemed the most appropriate way of meeting this demand.  The IT Health Check Service, or CHECK, was developed to enhance the availability and quality of the IT health check services that are provided to Government in line with HMG policy.  Companies belonging to CHECK are measured against high standards set by the NCSC.

The welcome emergence of the CREST Scheme, company membership and professional qualifications,  allowed consideration of different ways of operating the scheme and presented an opportunity for CHECK to focus on that for which it was established:  the provision of appropriately skilled staff to conduct IT Health Checks for Government.

The NCSC and CREST  work in collaboration to provide a set of examinations that are acceptable to industry and meet the requirements of private and public sectors.  The NCSC now requires all existing and future CHECK Team Leaders and Members to have passed an approved professional examination designed to test for a basic grounding in the discipline.

NCSC will accept a pass from one of the following examinations when approving CHECK Team Leader and Team Member status.

CHECK Team Leader (Infrastructure) CREST Infrastructure Certification Examination
CHECK Team Leader (Web applications) CREST Certified Web Application Tester
CHECK Team Member CREST Registered Security Analyst
CREST Registered Tester Examination

A pass in any one of these examinations merely demonstrates technical competence and does not replace the other requirements to attain CHECK Team Leader/Member status.

The NCSC CIAN 2009/08, in referring to IS6 paragraph, mandates that “All Departments whose delivery chain involves the handling of information relating to 100,000 or more identifiable individuals MUST engage independent experts to carry out penetration testing of their ICT systems.”

The table reproduced below maps system security test recommendations to typical ILs (Impact Levels):

Segmentation Model Level

Business Impact Level
System Configuration Test


Commercial Pen Test (this includes any CREST member company)


CHECK Pen Test
Deter & Resist


CHECK Pen Test + Vulnerability Test
Defend 5 CHECK Pen Test  + Vulnerability Test
HMG Pen Test
Defend 6 HMG Pen Test


Any ITHC must be led by a Team Leader who is present on site for the duration of the testing. For systems handling protectively marked material at SECRET, it is highly recommended that customers employ a minimum of 2 CHECK Team Leaders for an ITHC.

In line with the CHECK process any candidate failing an examination must wait for three months before re-sitting it.

CHECK Team Member and CHECK Team Leader certifications are valid for  three year periods.  If candidates seek to re-certify before the expiry of their current certification period (for example after two years) and fail, their existing certification will be null and void immediately.  This applies to CHECK Team Member and within individual CHECK Team Leader specialisms.  For example, if a CHECK Team Leader Infrastructure candidate sits and fails an Assessment after two years of previously qualifying, they will cease to be a CHECK Team Leader Infrastructure specialist with immediate effect, whilst any existing CHECK Team Leader Web Application specialism will remain unaffected.

More information on the CHECK scheme can be found at