Skip to main content
A buyer’s guide to CHECK in 2025
  • Cyber Regulation
  • Security Blog

A buyer’s guide to CHECK in 2025

Lewis Cradduck

10 Sep 2025 5 Min Read

TL;DR

  • CHECK is NCSC’s assurance scheme for penetration testing.
  • It has changed. From 2025, CHECK Team Leaders must hold a Principal title with the UK Cyber Security Council, and Team Members must hold a Practitioner title by March 2026.
  • It’s mandatory for government and public-sector systems with classified data, but open to any organisation that wants that level of assurance.
  • NCSC reviews reports and uses anonymised findings to identify national risks.
  • To get value from CHECK, clients should prepare well, support the test, and act on the results.

What is CHECK, when should you use it, and why?

CHECK is NCSC’s assurance scheme for penetration testing. It began as a way for government and critical systems to be tested safely, but any organisation can use it if they want the same standard.

CHECK must be used when systems handle information marked OFFICIAL, OFFICIAL-SENSITIVE, SECRET, or TOP SECRET. At SECRET and above, reports stay with you, although NCSC may ask for them later. Outside of government, using CHECK is optional, but it gives confidence that your testing is carried out to the same recognised national standard.

A CHECK provider gives you testers who are security cleared to work on sensitive systems and follow NCSC’s approved testing method, not just simple scanning. They deliver reports in a format that NCSC reviews and accepts.

In short, you use CHECK when you want assurance your test meets the government‑approved standard and is fully trusted.

What‘s new in 2025?

Professional titles are now mandatory. Team Leaders (CTLs) must hold a Principal title with the UK Cyber Security Council, and Team Members (CTMs) must hold a Practitioner title by March 2026. Some team leaders will also hold Chartered status, which reflects deeper experience and contribution to the profession.  

What do the titles mean for you?

The UK Cyber Security Council runs the professional titles system that maps to CHECK roles. A Practitioner title signals proven technical skills and a tester who is building experience.

A Principal title signals the person who leads the engagement, is accountable for delivery end to end, and owns the final report.

Chartered status sits above both and reflects sustained expertise and wider professional contribution. The shift raises assurance for clients because individuals are accountable to an independent body, not only to their employer.

Preparing for a CHECK test

A CHECK test is only as good as the scope. The scheme makes it clear that clients play a part in that too.

The scope is the blueprint that decides what we test, why we are testing it, and how deep we go. It should set the business objectives and crown-jewel systems, list in-scope assets and environments, record what is out of scope, and confirm the time window, change freeze, and approvals.

Under CHECK, the written scope normally covers both external and internal exposure, with representative vulnerability scanning of endpoints, servers, network devices, and key applications. This uses credentialed scans where possible and a justified sampling approach for large estates.

Your part is to share a clear picture of the environment, provide test accounts and access, flag operational constraints or special handling, line up people who can answer questions quickly, and secure any third-party permissions. This is especially important for cloud and managed services.

Our part is to map realistic threats to that picture, propose the right mix of testing, and explain how we will validate findings safely. Part of that is to agree stop conditions, clean-up steps, evidence handling, and document any trade-offs if ideal coverage is not possible.

What to expect in your report

CHECK reports follow strict rules set out in the CHECK Scheme Standards. Every report must include:

  • An executive summary for senior, non-technical readers.
  • A clear picture of your organisation’s risks.
  • Prioritised findings with recommendations.
  • Neutral, professional language.

Where reports go depends on classification:

  • For systems at OFFICIAL or OFFICIAL-SENSITIVE, reports are also submitted to NCSC.
  • For systems at SECRET or TOP SECRET, reports stay with you but may be requested later.

Why these matter

Using a CHECK provider gives you layers of assurance.

  1. Competence: Testers are vetted and hold independent professional titles.
  2. Quality: Reports are reviewed by NCSC, who sample and ensure standards are being met.
  3. National benefit: Anonymised results help NCSC track vulnerabilities across the UK.

Reports are always confidential. Your organisation is never named publicly.

Conclusion

CHECK in 2025 has had an overhaul. With Chartership titles for testers, and stronger rules on reporting and methodology, you can be confident a CHECK engagement is delivered to a recognised national standard.

Assurance is a two-way street. The more prepared you are with scope, access, and the right people, the more value you will get from the test.

Also, one final note, a CHECK report is not just for compliance. It is designed to help you understand your risks, plan fixes, and strengthen your security. When used properly, it will help protect your organisation and support greater resilience.