What is CHECK and CREST penetration testing?

Kieran Roberts Headshot
Kieran Roberts
Penetration Tester
08th February 2022

CHECK and CREST are two separate accreditations approved for use by the National Cyber Security Centre (NCSC), and the Council of Registered Ethical Security Testers (CREST).

CHECK, which is an abbreviation of IT Health Check Service, is an NCSC initiative for protecting government and public sector systems in line with government policy. The Council of Registered Ethical Security Testers, or CREST accreditation has been developed to serve organisations within the private sector, although it too works in collaboration with the NCSC.

Using a CHECK or CREST certified company for penetration testing services ensures that you are using a competent, legitimate vendor that adheres to industry best practice.

What is penetration testing?

Penetration testing is the practice of breaking into and gaining access to organisational computer systems and security infrastructure, for the purpose of identifying access points and weaknesses within the software that could leave business open to a data breach.

Penetration tests, or “pen tests,” as they are commonly referred to within the cybersecurity and IT communities, are used to find potential vulnerabilities within a company computer system. Penetration testing is usually carried out by experienced professional hackers (aka ethical hackers), hired to run the necessary checks on IT systems. It is important to note that penetration tests are usually conducted by external hires for the simple reason that IT specialists within the company are too close to the process of building its systems to take an objective look at the infrastructure and identify weak points.

External cybersecurity specialists or agencies, such as Bulletproof, pride themselves on providing accurate and detailed penetration testing, with the main vulnerabilities usually outlined in a final report, including suggestions for improvements and ways to implement them. Penetration Testing should ideally be well resourced by every business with access to shared computing, but it is often pushed along the pipeline until a security breach has been identified- by which point systems have inevitably been compromised. We take a closer look at why it is so crucial to carry out regular Pen Tests with trusted third-party providers.

Why is pen testing important?

Pen testing is one of the best ways for a company to protect itself from hackers and away from the prying eyes of the competition, as well as other cybersecurity threats. This is because the process of penetration testing is designed to cover all the steps that a cybercriminal would take to break into systems. The only difference is that in the case of penetration testing, nothing really gets stolen, and no data is left exposed – all vulnerability exploits are carried out with the sole purpose of patching them up after the test is finished.

Penetration testing helps businesses to identify their greatest areas of risk and where their systems are vulnerable. They can also serve to test an organisation’s existing security controls and determine their current cyber resilience. Another key reason Penetration testing is so vital to businesses, is that it supports compliance in line with essential legislation such as the Data Protection Act, GDPR (General Data Protection Regulation) compliance, and adherence to standards such as ISO (Information Security Officer) 27001 and PCI DSS (Payment Card Industry Data Security Standard).

CHECK vs CREST – pen test accreditations

Carrying out regular penetration tests for your businesses IT infrastructure is necessary if you want to keep yours and your customers’ data safe and secure. However, this does not mean that you can just hire any coding freelancer or IT whiz with a computer science degree to test the security of your systems. Aside from the obvious pitfall of running into a real-life hacker, you also run the risk of hiring someone with subpar skills or lacking due diligence processes.

Thankfully, there are accreditation schemes that grant cybersecurity companies the legitimacy they need for potential clients to weed out the professionals from the amateurs and bad actors. CHECK and CREST are two of the most popular pen test accreditation schemes in the UK backed by the National Cyber Security Centre and international standards for ethical security testing.

CHECK explained

Created by the National Cyber Security Centre (NCSC), CHECK is an accreditation scheme directly endorsed by the UK government. It is used primarily to certify the cybersecurity experts working for government departments, public sector bodies, and other organisations that can be considered part of the UK’s CNI (Critical National Infrastructure). Penetration tests conducted by CHECK-approved members will do so using NCSC recognised methods.

CREST explained

CREST (Council of Registered Ethical Security Testers) is an internationally recognised non-profit organisation devoted to providing accreditation to cybersecurity service companies providing penetration tests, threat intelligence, cyber incident response, and SOC (Security Operations Centre) services. Their stamps of approval are acknowledged globally and not so easy to come by: to gain CREST certification, cybersecurity agencies need to get their data security, testing methodologies, and business processes thoroughly vetted by a CREST representative.

Which one is better for your business?

CHECK-certified agencies are required for government departments and associated organisations, and strongly advised for public sector bodies. If an organisation is not public sector, then it does not require a CHECK-certified service provider to conduct penetration testing. In any other instance, the CREST certification is what you should look for in your penetration testing providers, as it is the best measure of a cybersecurity company’s legitimacy and competence that is also internationally recognised.

There are merits to both CHECK and CREST depending on which sector of business you are in. Companies who provide CHECK services will be required for organisations which make up the UK’s national infrastructure, whereas CREST-approved agencies are suitable for organisations across all other sectors. What is important is that penetration testing forms a critical part of assessing the cyber resilience of an organisation.


Penetration testing is crucial for identifying vulnerabilities in an organisational network, and to stress-test existing cybersecurity defences. The end goal of a penetration test is to help businesses secure their user and business-critical data, which should be a top priority for every organisation, regardless of type and size. Depending on the industry your company falls into, CHECK and CREST-approved services are the go-to accreditation schemes for helping to identify professional cybersecurity vendors and tell them apart from the amateurs, ensuring that you have access to industry-approved penetration tests conducted by the experts.

Kieran Roberts Headshot

Meet the author

Kieran Roberts Penetration Tester

Kieran is a security tester who’s contributed to articles on a range of pen testing topics, including industry insights and best practices.

Make your business bulletproof!

If you are a business owner looking for a reputable company to test your IT infrastructure, look no further than Bulletproof. Based in the UK, we are a CREST-certified cybersecurity company with long years of experience in the areas of penetration testing, threat monitoring and protection, as well as incident response. Contact us and get a free quote today!

Get a quote

Related resources

Trusted cyber security & compliance services from a certified provider

Get a quote today

If you are interested in our services, get a free, no obligation quote today by filling out the form below.

(1,500 characters limit)

For more information about how we collect, process and retain your personal data, please see our privacy policy.