CREST and CHECK Penetration Testing Explained – Which is Right for Your Business?

crest and check penetration testing

It’s not wrong to say that CHECK and CREST are two of the most widely-used internationally recognised UK-based pen testing benchmarks, helping organisations identify vulnerabilities in their systems that malicious actors could exploit.

We’ll discuss the differences in pen testing between CREST and CHECK, penetration testing providers, and how to select the right pen test provider for the relevant scheme.

CHECK and CREST are well-known pen testing schemes used by penetration testing providers in the UK to help organisations do this. Let’s get to know these.

Council of registered ethical security testers  

CREST (Council of Registered Ethical Security Testers), an internationally recognised accreditation, professional certification, is a membership body working without profit for technical security. It provides various security testing, accreditation, and certification schemes to the UK’s public and private sectors.

CREST-certified membership scheme has now expanded its footprint globally with a major presence across Australia, Asia, and North American markets.

It is a not-for-profit membership body representing the technical information security market globally. As the accreditation and certification body, it endorses organisations to conduct data security and threat intelligence and testing.

CREST is now expanded to various disciplines beyond security controls and assessments. These include cyber incident response, security operations centre, and threat intelligence services with varying CREST certification levels.

We have discussed many benefits of in-depth CREST certifications in our dedicated blog posts that would help you with all the details around exams and certifications.

Benefits of crest pen testing

Benefits to conduct CREST pen testing 

  • CREST-approved penetration testing ensures high ethical and legal standards.
  • Each CREST member company signs a code and conduct, including member requirements such as stringent staff background checks and technical quality.
  • A commercial advantage for businesses seeking cyber assurance for their products for bids
  • A CREST penetration test supports regulatory compliance requirements such as ISO 27001, GDPR, and PCI DSS.
  • Your chosen provider will ensure that business assets (APIs, web applications, devices, systems and networks) have mitigated vulnerabilities and follow the best practice guidelines.
  • Have peace of mind with a comprehensive review and direct input into your cybersecurity strategy.
  • Should buyers have concerns during the assessment, all CREST member companies have escalation and complaints policies as mandated by the CREST accreditation process.

CHECK Penetration testing certification  

The NCSC (National Cyber Security Centre) has approved certain companies under the CHECK scheme to perform authorised penetration tests on government departments, public-sector bodies, associated agencies, CNI systems, and networks.

The term “CHECK” refers to both the approved companies’ penetration tests and the methodology they use for these various penetration tests. This scheme for penetration tests was initiated by UK Government Communications Headquarters (GCHQ).

Provided NCSC accepts a company’s application, CREST-approved companies can attain CHECK status, also known as a green light. This process includes CREST accreditation, followed by the CHECK application process.

Organisations that use CHECK are likely aligned with the following criteria:

  • Cybersecurity companies approved under the CHECK scheme will assess all systems processing data marked OFFICIAL and above.
  • For a computer system processing data marked SECRET and above, such as organisations forming the UK’s critical national infrastructure, it is to be assessed by CHECK team leaders with relevant clearance.
  • Other public sector bodies, government departments, and other sectors follow security controls and requirements as advised.

Benefits of CHECK Pen Testing

  • CHECK services such as pen tests are carried out in line with NCSC-recognised methods standards
  • NCSC-approved organisations and professionals that hold NCSC-approved qualifications after passing rigorous exams are utilised, subject to passing CREST exams and relevant clearances.
  • CHECK penetration testing can help you identify and fix security vulnerabilities in your systems and applications. This can help you improve your overall security posture and reduce your risk of being attacked.
  • CHECK penetration testing can help you demonstrate compliance with industry regulations such as PCI DSS, HIPAA, and GDPR. This can help you avoid fines and penalties from regulatory agencies.

CREST vs CHECK – Which scheme is right for your business?

Your business requirements define whether to utilise CHECK or CREST penetration testing. While the CHECK scheme utilises CREST exams as the base certification, NCSC has their own qualification criteria for companies and highly skilled individuals to serve public sectors such as national infrastructure, governments, defence, police, etc.

CREST penetration testing is the gold standard for private sector organisations in the UK. CREST is fast expanding its penetration test footprint globally with various regional chapters such as Europe, Australia, America, and Dubai.

risk equation likelihood multipled by impact

Cyber attacks are not a matter of if, but when. Be prepared.

Box-ticking approach to penetration tests is long gone. We help you identify, analyse and remediate vulnerabilities so you don’t see the same pentest report next time.

Secure your cyber sphere with Cyphere’s CREST penetration testing services

Cyphere, a CREST-certified company, ensures potential clients that a service quality focussed approach to business processes and assessments has tangible and intangible benefits supporting your business growth.

crest and check penetration testing

As a full penetration testing services provider, we have no faff offerings policy that includes free retests, cancellations, and ongoing support to deliver your needed support.

If you are a business owner looking to discuss cyber security concerns, get in touch to schedule a CREST pen test or a business cyber security consultation.

There are several CREST related topics we have covered extensively you might want to explore: 


Why is  CHECK penetration testing important for your business?

Penetration testing is an essential cybersecurity test component for businesses of all sizes. When performed strategically, pen testing delivers critical input to an organisation’s IT investments, establishing the test as the backbone of your security strategy.

Providing a comprehensive assessment and analysis of known and latest vulnerabilities and security weaknesses, it enables organisations to identify where their IT infrastructure is most at risk and take the necessary steps to improve their security and data protection.

Article Contents

Sharing is caring! Use these widgets to share this post
Scroll to Top