How to become CHECK “green lighted” to deliver ITHC (guidance for organisations and people)

For a company to become a CHECK approved organisation, otherwise known as having been granted a green light status to undertake ITHC penetration testing or vulnerability assessment services, a CHECK approved company is able to conduct security assessments for UK government agencies or critical national infrastructures (CNI).

NCSC has the following to say when discussing what CHECK is and what it means for penetration testing services:

CHECK is the term for the NCSC approved penetration test companies and the methodology used to conduct a penetration test. Companies providing CHECK services do so using staff who hold NCSC approved qualifications and have suitable experience. Penetration tests are conducted using NCSC recognised methods and the subsequent report and recommendations are produced to a recognised standard.

Also directly qouted from the NCSC website for obtaining CHECK, the following criteria must be met prior to the CHECk assessment:

  • the company must be able to sign-up to English law
  • the company must have performed penetration testing service under their company name for a minimum of 12 months
  • all proposed team members must be able to hold SC clearance
  • there is a minimum of one team member who has passed a CHECK Team Leader examination, and can provide a technical (only) CV, 2 redacted penetration test reports they have authored, and have at least 12 months penetration testing experience

Guidance for organisations seeking to be assessed by NCSC in order to obtain CHECK status can be found: here

How to join CREST as an organisational member

CREST is widely known in the penetration testing indusry, due to CREST’s professional membership scheme, professional certification for penetraiton testers, and support towards becoming CHECK with NCSC.

Ann excert from CREST’s website regarding membership:

In accordance with CREST’s stated aim “to increase professionalism in the security testing industry”, CREST places requirements on member companies in order to ensure that consistent standards of services are delivered.

It is worth noting that as covered in the FAQ provided by CREST, obtaining organisational membership is not dependant on people holding CREST-based certifications.

For full guidance on joining CREST as an organisational member (for organisations), the following link will be of help: click here