CHECK Penetration Testing Guide

Updated: July 25th, 2024
6 mins read
CHECK Penetration Testing Guide

CHECK penetration testing is a specialized form of cybersecurity audit or assessment designed explicitly by the NCSC for government departments, public sector bodies, and critical national infrastructure (CNI) in the UK. 

Unlike traditional pentests focusing on a broad range of vulnerabilities, CHECK prioritizes threats relevant to government systems using government-approved tools and methodologies. This targeted approach helps identify weaknesses that are most likely to be exploited by adversaries targeting government entities.

What is CHECK?

Better known as ‘IT Health Check Service’, CHECK is an accreditation scheme operated by the UK’s National Cyber Security Centre (NCSC) that certifies companies to conduct authorized penetration tests on public sector and Critical National Infrastructure (CNI) systems and networks. 

It provides a framework for ensuring that penetration testing is conducted to a high standard with qualified personnel according to recognized methodologies.

Who Needs CHECK Penetration Testing?

CHECK penetration testing certification is primarily mandated for:

  • Government departments: All systems handling data classified as OFFICIAL or above must undergo CHECK-approved penetration testing.
  • Public sector bodies: While not strictly mandated, the NCSC strongly recommends it for all public sector organizations, especially those handling sensitive data or operating critical infrastructure.

Please note that for systems handling data marked SECRET or TOP SECRET, two CHECK team leaders with appropriate clearances and access must be involved.

shield

What Makes Astra the Best VAPT Solution?

  • We’re the only company that combines automated & manual pentest to create a one-of-a-kind pentest platform.
  • The Astra Vulnerability Scanner runs 10,000+ tests to uncover every single vulnerability
  • Vetted scans ensure zero false positives.
  • Our intelligent vulnerability scanner emulates hacker behavior & evolves with every pentest.
  • Astra’s scanner helps you shift left by integrating with your CI/CD.
  • Our platform helps you uncover, manage & fix vulnerabilities in one place.
  • Trusted by the brands you trust like Agora, Spicejet, Muthoot, Dream11, etc.
cto

CHECK vs CREST Penetration Testing

FeatureCHECK Penetration TestingCREST Penetration Testing
FocusGovernment and public sector organizations, critical national infrastructure (CNI)Broad applicability across various industries
AuthorityNational Cyber Security Centre (NCSC) - UK government agencyInternational, not-for-profit accreditation and certification body
CertificationFocuses on company qualifications and methodologiesFocuses on individual pentester competency through exams
Evaluation ProcessStringent company audits to ensure adherence to NCSC CHECK methodologyRigorous exams and practical assessments for individuals
MethodologyAdheres to the specific NCSC CHECK methodologyFollows industry best practices and recognized frameworks (e.g., PTES, NIST)
ComplianceIt may not directly address all compliance needs but ensures in-depth knowledge of the sameCan be tailored to address various compliance requirements (e.g., GDPR, PCI DSS)
CostPotentially more expensive due to the limited pool of CHECK-approved companiesGenerally less costly due to the wider availability of certified providers
BenefitsSpecifically designed for high-risk government and CNI systems - Adherence to a rigorous, government-backed methodology - Enhanced security posture for critical infrastructureStrong focus on individual pentester skills - Broad applicability across industries - Increased flexibility in test methodologies - Can be tailored for compliance needs

Steps in CHECK Penetration Testing

Step 1: Define CHECK Tasks

This stage outlines the scope and objectives of the penetration test. It considers the government classification of the information systems involved (OFFICIAL, SECRET, TOP SECRET) and tailors the test accordingly. 

Collaborating with your team, the CHECK penetration tester defines specific targets, attack vectors, and testing methodologies to ensure the test aligns with the organization’s security requirements and risk tolerance.

Step 2: Consent & Legal Requirements

This step is pivotal in establishing a clear framework for the VAPT and involves the pentesters obtaining formal authorization from your organization, granting explicit permission to conduct the assessment.

Further, such a comprehensive agreement outlining the rules of engagement, including limitations and potential risks, is crucial to protecting both parties. It serves as a legal safeguard, ensuring transparency throughout the process.

Step 3: Capture Requirements

Similar to the reconnaissance phase in traditional pentests, the CHECK penetration testing team starts gathering in-depth information about the target system, including network diagrams, system inventories, security policies, and other relevant documentation.

However, as the CHECK framework emphasizes understanding the specific security policies governing government systems, it also thoroughly examines your Information Assurance (IA) framework.

Step 4: Evaluation

Testers meticulously examine systems, networks, and applications for weaknesses during this step through vulnerability assessment and exploitation attempts. 

A key aspect of CHECK accredited penetration testing is the exclusive use of government-approved tools and methodologies, such as those provided by the National Technical Authority for Information Assurance (NTALIA). This ensures consistency and adherence to rigorous standards.

Step 5: Report and Reviews

This stage involves documenting the penetration test findings in a detailed report that adheres to government reporting standards, classifying vulnerabilities based on their severity and potential impact on government systems in clear and concise language.

However, as per the framework, the report should provide clear remediation and risk mitigation strategy recommendations, prioritized based on the severity and potential impact on your organization. 

Step 6: Knowledge Transfer

The last stage focuses on transferring knowledge to your team through detailed reports with open communication channels to avoid bottlenecks and streamline the remediation process. 

Moreover, to empower you to make informed decisions about remediating vulnerabilities and improving your overall security posture, CHECK encourages testers to present their findings in a way that is understandable to technical and non-technical audiences alike.

How CHECK Approved Penetration Testing Helps You

Benefits of CHECK Penetration Testing

Maintain Compliance: 

CHECK ensures the pen test adheres to UK government regulations and guidelines for information security, reducing your risk of non-compliance issues and legal repercussions accompanying audit failures and data breaches.

Focus on Security: 

By prioritizing vulnerabilities relevant to government threats, CHECK helps identify weaknesses most likely to be exploited by attackers targeting such systems. Its actionable reporting empowers you to address risks effectively and improve your security posture.

Standardized Approach: 

The structured methodology for pen testing and list of vetted tools help ensure consistency and repeatability in assessments across different government agencies. This also allows for easier comparison of security posture across different government departments.

Knowledge Transfer: 

Lastly, the framework encourages clear communication of findings to non-technical audiences, empowering decision-makers to understand and prioritize security improvements while fostering a security-first culture.

Astra Pentest is built by the team of experts that helped secure Microsoft, Adobe, Facebook, and Buffer


character

How to Get Certified With CHECK?

CHECK accreditation isn’t directly awarded to individual organizations but applies to the team members who conduct penetration testing within the framework. Here’s what’s involved for a team to achieve CHECK status:

Qualifications:

Each team member must hold a relevant NCSC-approved professional qualification. These qualifications demonstrate a basic understanding of penetration testing principles and methodologies.

  1. CREST Examinations: The Cyber Security Council (CSC) offers CREST exams that fulfill NCSC requirements. Passing exams like CREST Certified Infrastructure Tester (CCT Inf) or CREST Certified Web Application Tester (CCT App) qualifies a team leader. CREST Registered Penetration Tester (CRT) qualifies a team member.
  2. The Cyber Scheme: Alternatively, examinations from The Cyber Scheme, like CSTM (Cyber Scheme Team Member) or CSTL (Cyber Scheme Team Leader), can be used for CHECK Team Member and Leader status respectively.

Experience:

The NCSC requires all CHECK Team Leaders and Members to have relevant experience in penetration testing. The specific experience requirements aren’t publicly available, but demonstrably performing penetration testing services for at least a year is likely expected.

Company Requirements (For Providers):

If your organization aims to be a CHECK service provider, there are additional considerations:

  1. Your company must be able to sign up under English law.
  2. The company must have performed penetration testing services under its current name for at least 12 months.
  3. All proposed team members need to hold the required SC security clearance.

Final Thoughts

In essence, CHECK penetration testing is a rigorous framework designed to safeguard critical UK government systems. Its focus on evaluated and approved tools and methodologies strengthens your security posture while providing a structured approach.

Simply put, in addition to various benefits, CHECK certified penetration testing helps safeguard your sensitive data and systems, builds trust with stakeholders, and contributes to a more secure digital environment.

FAQs

What is a CHECK penetration test?

CHECK penetration testing is an NCSC-approved scheme for authorized penetration tests on public sector and CNI systems, conducted by qualified companies using NCSC-recognized methods, producing reports and recommendations to a recognized standard.

What is the difference between CHECK and CREST?

CHECK is a UK government scheme for approving penetration testing companies to assess public sector and critical infrastructure systems, while CREST is an international accreditation body ensuring high standards in security testing across various sectors, providing broader industry recognition.

How to become CHECK approved?

To become CHECK approved, your company must meet stringent NCSC criteria, including a minimum of 12 months penetration testing experience, holding SC clearance for all team members, and employing a CHECK Team Leader with relevant qualifications and experience.