NCSC CHECK Programme
Become an NCSC-approved penetration tester through CREST certification. Learn how to achieve CHECK Team Leader or Team Member status and deliver security testing for UK government and public sector organisations.
What is the NCSC CHECK Programme?
The IT Health Check Service, known as CHECK, was developed and introduced by the National Cyber Security Centre (NCSC) to identify vulnerabilities in IT systems and networks which may compromise the confidentiality, integrity, or availability of information held on that IT system for HMG and the wider public sector of systems handling protectively marked information.
The NCSC and CREST work in collaboration to provide a set of examinations that are acceptable to industry and meet the requirements of private and public sectors. The NCSC now requires all existing and future CHECK Team Leaders and Members to have passed an approved professional examination designed to test for a basic grounding in the discipline.
CHECK certification demonstrates that penetration testers possess the technical competence and professional standards required to assess the security of government and public sector IT infrastructure. This rigorous framework ensures that only qualified professionals conduct security testing on systems handling sensitive or protectively marked information.
How to Achieve CHECK Team Status
NCSC will accept a pass from one of the following CREST examinations when approving CHECK Team Leader and Team Member status.
CHECK Team Member
Requires passing the CREST Registered Penetration Tester examination. This certification demonstrates competence to conduct penetration testing assignments under supervision.
CHECK Team Leader (Infrastructure)
Requires passing the CREST Certified Infrastructure Tester examination. Qualified to lead infrastructure penetration testing engagements for government systems.
CHECK Team Leader (Web Applications)
Requires passing the CREST Certified Web Application Tester examination. Qualified to lead web application security testing for public sector organisations.
Steps to Become a CHECK Certified Professional
Choose Your Certification Path
Select the appropriate CREST examination based on your career goals: Team Member (RPT), Infrastructure Team Leader (CIT), or Web Application Team Leader (CWAT).
Complete CREST Training
Enrol in a CREST-accredited training course from an approved provider like arcX. Build the technical skills and knowledge required to pass your chosen examination.
Pass the CREST Examination
Book and successfully complete your CREST examination via Pearson Vue. This demonstrates your technical competence in penetration testing.
Obtain Security Clearance
Apply for and obtain SC (Security Check) clearance, which is mandatory for all CHECK Team Members and Leaders working on government systems.
Join an NCSC-Approved Provider
Ensure your employer is an NCSC-approved CHECK Service Provider that adheres to all programme requirements and standards.
How to Become an NCSC-Approved CHECK Provider
If you are interested in your organisation becoming an NCSC-approved CHECK provider of penetration testing services, the NCSC sets high standards for CHECK Service Providers against which all new applicants are measured.
Mandatory Criteria for CHECK Providers
All CHECK companies must meet the following requirements to be considered for NCSC approval and maintain their status as approved service providers.
Your company must be able to sign up to English law
Your company must have performed penetration testing services under the company name for a minimum of 12 months
All proposed team members must be able to hold SC clearance
You must have a minimum of one team member who has passed a CHECK Team Leader examination and has at least 12 months of penetration testing experience
Additional Requirements
Beyond the mandatory criteria, organisations must demonstrate compliance with NCSC standards and maintain appropriate team structures.
Compliance with NCSC Standards
Adherence to all rules and procedures set out by the NCSC for CHECK Service Providers
Qualified Team Structure
Appropriate mix of Team Leaders and Team Members with relevant CREST certifications
Security Vetting Process
Established procedures for obtaining and maintaining security clearances for all team members
Important Notice
Obtaining passes in the required CREST examinations does not automatically guarantee CHECK Team status for individuals or organisations. You will also be required to obtain Security Clearance and ensure your organisation adheres to all rules set out by the NCSC for CHECK Providers. CHECK Team Leader and Member certifications are valid for three years, after which you will need to re-certify.
Frequently Asked Questions About CHECK Certification
CREST certification is a professional qualification that demonstrates your technical competence in penetration testing. CHECK status is an additional approval granted by the NCSC that allows you to conduct security testing on UK government and public sector systems. You must first obtain the relevant CREST certification, then meet additional requirements (such as SC clearance) to achieve CHECK status.
CHECK Team Leader and Team Member certifications are valid for three years from the date of approval. After this period, you will need to re-certify by passing the current version of the relevant CREST examination and maintaining your security clearance.
All CHECK Team Members and Team Leaders must be able to obtain and maintain SC (Security Check) clearance. This is a UK government security clearance level that involves background checks and vetting. Your employer will typically sponsor your clearance application.
Security clearance requirements typically require UK citizenship or significant UK residency. However, specific eligibility criteria for SC clearance can vary. You should consult with your employer or the NCSC directly regarding clearance eligibility for non-UK citizens.
Most professionals start with the CREST Registered Penetration Tester (CRPT) examination to achieve CHECK Team Member status. This is the entry-level certification. You can then progress to Team Leader certifications (CIT or CWAT) as you gain experience. Many candidates take the CREST Practitioner Security Analyst (CPSA) examination as preparation for the CRPT.
Yes. Individual CHECK certification is only valid when you are employed by an NCSC-approved CHECK Service Provider. If you change employers, your new organisation must also be an approved CHECK provider for you to conduct CHECK work.
SC clearance applications are typically sponsored by your employer. Once you have secured employment with an NCSC-approved CHECK Service Provider, they will initiate the clearance process on your behalf. The vetting process involves background checks, employment history verification, and reference checks. Processing times vary but typically take several months.
If you do not pass your CREST examination on the first attempt, you can retake it after a waiting period. CREST sets specific retake policies to maintain examination integrity. Use the time between attempts to identify knowledge gaps, complete additional study, and strengthen your understanding of weak areas. Our training courses include exam preparation materials and practice questions to help you succeed.
Begin Your Journey Today, For Free
Join 70,000+ professionals who have advanced their careers with arcX. Start with our free CTI 101 course and discover if cyber threat intelligence is right for you.