It’s not wrong to say that CHECK and CREST are two of the most widely-used internationally recognised UK-based pen testing benchmarks, helping organisations identify vulnerabilities in their systems that malicious actors could exploit.
We’ll discuss the differences in pen testing between CREST and CHECK, penetration testing providers, and how to select the right pen test provider for the relevant scheme.
CHECK and CREST are well-known pen testing schemes used by penetration testing providers in the UK to help organisations do this. Let’s get to know these.
What is CREST Penetration testing?
CREST (Council of Registered Ethical Security Testers), an internationally recognised accreditation, professional certification, is a membership body working without profit for technical security. It provides various security testing, accreditation, and certification schemes to the UK’s public and private sectors.
CREST-certified membership scheme has now expanded its footprint globally with a major presence across Australia, Asia, and North American markets.
Council of registered ethical security testers
It is a not-for-profit membership body representing the technical information security market globally. As the accreditation and certification body, it endorses organisations to conduct data security and threat intelligence and testing.
CREST is now expanded to various disciplines beyond security controls and assessments. These include cyber incident response, security operations centre, and threat intelligence services with varying CREST certification levels.
We have discussed many benefits of in-depth CREST certifications in our dedicated blog posts that would help you with all the details around exams and certifications.
Benefits to conduct CREST penetration testing
- CREST-approved penetration testing ensures high ethical and legal standards.
- Each CREST member company signs a code and conduct, including member requirements such as stringent staff background checks and technical quality.
- A commercial advantage for businesses seeking cyber assurance for their products for bids
- A CREST penetration test supports regulatory compliance requirements such as ISO 27001, GDPR, and PCI DSS.
- Your chosen provider will ensure that business assets (APIs, web applications, devices, systems and networks) have mitigated vulnerabilities and follow the best practice guidelines.
- Have peace of mind with a comprehensive review and direct input into your cybersecurity strategy.
- Should buyers have concerns during the assessment, all CREST member companies have escalation and complaints policies as mandated by the CREST accreditation process.
CHECK Penetration testing explained
The NCSC (National Cyber Security Centre) has approved certain companies under the CHECK scheme to perform authorised penetration tests on government departments, public-sector bodies, associated agencies, CNI systems, and networks.
The term “CHECK” refers to both the approved companies’ penetration tests and the methodology they use for these various penetration tests. This scheme for penetration tests was initiated by UK Government Communications Headquarters (GCHQ).
Provided NCSC accepts a company’s application, CREST-approved companies can attain CHECK status, also known as a green light. This process includes CREST accreditation, followed by the CHECK application process.
Organisations that use CHECK are likely aligned with the following criteria:
- Cybersecurity companies approved under the CHECK scheme will assess all systems processing data marked OFFICIAL and above.
- For a computer system processing data marked SECRET and above, such as organisations forming the UK’s critical national infrastructure, it is to be assessed by CHECK team leaders with relevant clearance.
- Other public sector bodies, government departments, and other sectors follow security controls and requirements as advised.
Benefits of CHECK Pen Testing
- CHECK services such as pen tests are carried out in line with NCSC-recognised methods standards
- NCSC-approved organisations and professionals that hold NCSC-approved qualifications after passing rigorous exams are utilised, subject to passing CREST exams and relevant clearances.
- CHECK penetration testing can help you identify and fix security vulnerabilities in your systems and applications. This can help you improve your overall security posture and reduce your risk of being attacked.
- CHECK penetration testing can help you demonstrate compliance with industry regulations such as PCI DSS, HIPAA, and GDPR. This can help you avoid fines and penalties from regulatory agencies.
Which scheme is right for your business?
Your business requirements define whether to utilise CHECK or CREST penetration testing. While the CHECK scheme utilises CREST exams as the base certification, NCSC has their own qualification criteria for companies and highly skilled individuals to serve public sectors such as national infrastructure, governments, defence, police, etc.
CREST penetration testing is the gold standard for private sector organisations in the UK. CREST is fast expanding its penetration test footprint globally with various regional chapters such as Europe, Australia, America, and Dubai.
Cyber attacks are not a matter of if, but when. Be prepared.
Box-ticking approach to penetration tests is long gone. We help you identify, analyse and remediate vulnerabilities so you don’t see the same pentest report next time.
Secure your cyber sphere with Cyphere’s CREST penetration testing services
Cyphere, a CREST-certified company, ensures potential clients that a service quality focussed approach to business processes and assessments has tangible and intangible benefits supporting your business growth.
As a full penetration testing services provider, we have no faff offerings policy that includes free retests, cancellations, and ongoing support to deliver your needed support.
If you are a business owner looking to discuss cyber security concerns, get in touch to schedule a CREST pen test or a business cyber security consultation.
There are several CREST related topics we have covered extensively you might want to explore:
- CREST penetration testing guide and methodology
- Learn about the CREST Defensible Penetration Test (CDPT) and business benefits
- What is a CREST-approved provider, and why choosing a CREST-certified company is important?
- Understanding the CREST accredited penetration testing
- Your guide to CREST vulnerability assessments
- Get to know the CREST penetration testing maturity model
- CREST Certification benefits, cost, OSCP equivalent and other details
Why is penetration testing important for your business?
Penetration testing is an essential cybersecurity test component for businesses of all sizes. When performed strategically, pen testing delivers critical input to an organisation’s IT investments, establishing the test as the backbone of your security strategy.
Providing a comprehensive assessment and analysis of known and latest vulnerabilities and security weaknesses, it enables organisations to identify where their IT infrastructure is most at risk and take the necessary steps to improve their security and data protection.
Harman Singh is a security professional with over 15 years of consulting experience in both public and private sectors.
As the Managing Consultant at Cyphere, he provides cyber security services to retailers, fintech companies, SaaS providers, housing and social care, construction and more. Harman specialises in technical risk assessments, penetration testing and security strategy.
He regularly speaks at industry events, has been a trainer at prestigious conferences such as Black Hat and shares his expertise on topics such as ‘less is more’ when it comes to cybersecurity. He is a strong advocate for ensuring cyber security as an enabler for business growth.
In addition to his consultancy work, Harman is an active blogger and author who has written articles for Infosecurity Magazine, VentureBeat and other websites.