For a company to become a CHECK approved organisation, otherwise known as having been granted a green light status to undertake ITHC penetration testing or vulnerability assessment services, a CHECK approved company is able to conduct security assessments for UK government agencies or critical national infrastructures (CNI).
NCSC has the following to say when discussing what CHECK is and what it means for penetration testing services:
CHECK is the term for the NCSC approved penetration test companies and the methodology used to conduct a penetration test. Companies providing CHECK services do so using staff who hold NCSC approved qualifications and have suitable experience. Penetration tests are conducted using NCSC recognised methods and the subsequent report and recommendations are produced to a recognised standard.
Also directly qouted from the NCSC website for obtaining CHECK, the following criteria must be met prior to the CHECk assessment:
- the company must be able to sign-up to English law
- the company must have performed penetration testing service under their company name for a minimum of 12 months
- all proposed team members must be able to hold SC clearance
- there is a minimum of one team member who has passed a CHECK Team Leader examination, and can provide a technical (only) CV, 2 redacted penetration test reports they have authored, and have at least 12 months penetration testing experience
Guidance for organisations seeking to be assessed by NCSC in order to obtain CHECK status can be found: here