CREST and CHECK are the two most-cited UK penetration testing accreditations — and the most commonly confused. They are not the same scheme, they don’t apply to the same use cases, and choosing the wrong one for your requirements can mean either paying for accreditation you don’t need or commissioning testing your auditor or regulator won’t accept.
This guide explains the difference, who each scheme is for, and how to decide which your business needs. Where both are required, we explain that too.
CREST vs CHECK: The Short Answer
- CHECK is an NCSC-run scheme specifically for testing UK government and public sector systems. It’s narrow in scope but mandatory where it applies.
- CREST is a private-sector accreditation body covering penetration testing in commercial and many public-sector contexts. It’s broader and is the default standard for most UK businesses.
Most UK private sector businesses need CREST, not CHECK. Most central government suppliers need CHECK in addition to CREST. Some sectors (financial services, critical national infrastructure) reference CREST and may also reference CHECK or sector-specific frameworks like CBEST.
CREST Penetration Testing
CREST (Council of Registered Ethical Security Testers) is an international not-for-profit accreditation and certification body for penetration testing, threat intelligence, and incident response services.
Who Runs It
CREST is an independent, member-led not-for-profit. It operates internationally — UK, Europe, Asia-Pacific, US — and has the broadest acceptance of any commercial penetration testing accreditation in the UK.
What It Covers
CREST covers two layers: company accreditation (the testing firm itself meets quality, insurance, and process requirements) and individual certification (the engineer holds CRT, CCT, or higher certifications demonstrating technical competence).
Where It’s Required
- FCA-regulated firms (CBEST, TIBER-UK, Vulnerability Assessment frameworks)
- Bank of England STAR and CBEST schemes
- Most enterprise procurement frameworks in the UK
- Many cyber insurance policies
- NHS England Data Security and Protection Toolkit
- Many central government procurement frameworks (alongside CHECK where applicable)
- SOC 2 and ISO 27001 auditors typically accept CREST-certified pen testing as evidence
Verifying CREST
Verify any provider’s CREST status at crest-approved.org. Both company accreditation and individual engineer certifications are searchable in the public directory.
CHECK Penetration Testing
CHECK (the IT Health Check Service) is run by the UK National Cyber Security Centre (NCSC) — a part of GCHQ. It is the scheme that approves providers to test UK government and public sector ICT systems.
Who Runs It
NCSC, the UK’s technical authority for cybersecurity. CHECK is a government scheme, not a commercial accreditation.
What It Covers
CHECK approval covers companies and individuals authorised to perform IT Health Checks for UK government departments, local authorities, the NHS, and other public sector bodies handling sensitive government information. Individual testers are certified at two levels: CHECK Team Member (CTM) and CHECK Team Leader (CTL). Approval is required for the company and the lead tester.
Where It’s Required
- Testing UK central government departments and agencies
- Public sector systems handling OFFICIAL-SENSITIVE or above
- NHS systems requiring formal IT Health Checks
- Defence supply chain testing under MOD requirements
- Some local authority procurement frameworks
- Critical national infrastructure operators where NCSC guidance applies
Verifying CHECK
NCSC publishes a directory of approved CHECK companies on their website. CHECK is granted at company level; verify directly via NCSC sources rather than relying on vendor claims.
CREST vs CHECK: Side-by-Side Comparison
| Aspect | CREST | CHECK |
|---|---|---|
| Run by | CREST International (not-for-profit) | NCSC (UK government) |
| Scope | Commercial and broader public sector | UK government and public sector specifically |
| Geography | International (UK, EU, APAC, US) | UK only |
| Required for | FCA, banks, enterprise, CBEST, cyber insurance, SOC 2/ISO 27001 | Central government, NHS, MoD supply chain, OFFICIAL-SENSITIVE systems |
| Verification | crest-approved.org public directory | NCSC published directory |
| Engineer certification levels | CRT, CCT (multiple specialisms), CCSAM, CCSS, CPIA | CTM, CTL |
| Insurance requirement | Specified PI insurance level | NCSC-defined requirements |
| Annual maintenance | Required | Required |
| Suitable for SOC 2 / ISO 27001 evidence | Yes | Yes (rarely required specifically) |
| Suitable for FCA CBEST | Yes — CREST is the framework | Not specifically — CREST is the standard |
| Suitable for testing UK government systems | Sometimes accepted; CHECK often preferred | Yes — required for OFFICIAL-SENSITIVE+ |
Which Should UK Businesses Require?
Most UK Private Sector Businesses → CREST
For SaaS companies, financial services, retail, healthcare, manufacturing, and most private sector businesses, CREST is the right standard. It covers your audit, regulatory, insurance, and procurement requirements without paying for CHECK accreditation overhead you don’t need.
UK Government Suppliers → Often Both
Companies bidding for central government contracts, MoD work, or NHS systems handling OFFICIAL-SENSITIVE information will typically need CHECK-approved testing for the government-facing aspects of their work. They may also need CREST for their commercial work and for SOC 2/ISO 27001 evidence. Some testing firms (including some larger CREST-certified firms) hold both accreditations.
FCA-Regulated Firms → CREST
The FCA does not require CHECK. FCA cybersecurity expectations reference CREST-certified testing through the CBEST and TIBER-UK frameworks. CHECK accreditation is not required and does not substitute for CREST in this context.
Critical National Infrastructure → CREST + Sector Frameworks
CNI operators (energy, water, transport, telecoms) typically require CREST and may also reference sector-specific frameworks. CHECK is generally not required outside government supply chains, but check NCSC guidance specific to your sector.
Beyond CREST and CHECK: What Else to Look For
Accreditation is necessary but not sufficient. Even with the right accreditation, evaluate:
- Engineer experience — Certifications prove minimum competence; ask about engineer years of experience in the specific test type relevant to your engagement.
- Reporting quality — Ask to see a sample report (anonymised). Look for CVSS scoring, reproduction steps, and specific remediation guidance.
- Communication during testing — Will you receive critical findings in real time, or only in the final report? The former enables remediation during the engagement window.
- Specialist competence — For mobile app testing, cloud assessments, or red team exercises, generic CREST certification is the floor — look for specialist certifications and demonstrated experience in the specific area.
- UK delivery — Confirm work is performed by UK-based engineers, not subcontracted offshore. Important for data sovereignty and NDA enforceability.
Frequently Asked Questions
Is CHECK better than CREST?
Neither is “better” — they apply to different use cases. CHECK is mandatory for UK government supply chain testing of OFFICIAL-SENSITIVE+ systems. CREST is the standard for commercial penetration testing and broader public sector use. Most UK private businesses need CREST, not CHECK.
Can a CREST company test UK government systems?
For some public sector engagements, CREST is accepted. For systems handling OFFICIAL-SENSITIVE or above, CHECK is typically required and CREST alone is not sufficient. Always check the specific procurement framework or system classification.
Is EJN Labs CREST-certified?
Yes. EJN Labs is a CREST-approved penetration testing company. Verify our accreditation directly at crest-approved.org.
Do I need both CREST and CHECK?
Only if you operate in or sell to the UK government supply chain at OFFICIAL-SENSITIVE level or above. Otherwise, CREST alone is sufficient for the overwhelming majority of UK businesses.
Is CREST accepted for SOC 2 and ISO 27001?
Yes. SOC 2 and ISO 27001 auditors typically accept CREST-certified penetration testing as evidence of technical security testing. CHECK is rarely specifically required for these frameworks.
Get the Right Test for Your Requirements
Not sure whether you need CREST, CHECK, or both? Tell us your context — regulatory, procurement, insurance, or audit driver — and we’ll advise honestly. If we’re not the right vendor for your specific requirement, we’ll tell you who is.
Leave a Reply