CHECK Fundamental Principles
This is a summary of the principles which form the basis of the CHECK service.
The CHECK scheme enables penetration testing by NCSC approved companies, employing penetration testing personnel qualified to assess IT systems for HMG and other public sector bodies.
For Central Government Departments and their associated agencies:
- All systems processing data protectively marked OFFICIAL will be assessed by companies approved under CHECK.
- Requests for testing on systems processing data protectively marked SECRET and above should be sent to the NCSC. We may, depending on the details, recommend that the task be performed by a CHECK company.
For other public sector bodies:
- We strongly recommend and advise that all systems be assessed by a CHECK company unless the system's risk owner explicitly advises otherwise.
The principles below are not intended to be a comprehensive list of the principles of CHECK. Although they form the basis of the CHECK Service, the CHECK contract and Service Provision Guidelines should be consulted for greater detail. The CHECK contract shall take precedence over this document if any issue of conflict occurs.
- All CHECK companies must be able to sign-up to English law.
- Any company accepted into CHECK must have performed penetration testing service under the company name for a minimum of 12 months.
- If an application to join CHECK is rejected it cannot be resubmitted within a 12 month period. The decision of the assessment panel is final and there is no appeal process for new applicants.
- All team members must be able to obtain and hold an SC clearance.
- The NCSC will sponsor an SC clearance, if required. Security forms must be returned by the requested deadline. Where security forms have not been returned, and following two reminders to return documents, no further attempts will be made to pursue paperwork. Failure to comply will result in the clearance application being stopped. The vetting decision is final. It is the CHECK company's responsibility to ensure the clearance remains valid and the sponsor is kept up to date with any changes in circumstances which may affect the clearance.
- To be accepted as a CHECK Team Member each individual will have passed one of the CHECK Team Member examinations. CHECK Team Leaders will have passed one of the CHECK Team Leader examinations, provide a technical (only) CV, 2 redacted reports they have authored and have at least 12 months penetration testing experience. Further information on this is covered under Composition of a CHECK team.
- If a member of a CHECK team transfers, it is the responsibility of the importing CHECK company to verify the status of the individual’s clearance.
- Membership is valid for a period of 1 year at a time. CHECK companies must renew their membership by the required date, otherwise membership will lapse. If membership lapses the company will no longer be able to provide penetration testing services under CHECK and will be removed from our web site.
- In order to undertake work under the terms and conditions of CHECK, a Company must hold ‘Green Light’ status, which is achieved by at least one individual of the CHECK team holding CHECK Team Leader status.
- Any on-site penetration testing must be led by a CHECK Team Leader who is present for the duration of testing. For systems handling protectively marked material at SECRET and above, it is highly recommended that customers employ a minimum of 2 CHECK Team Leaders for an engagement.
- The CHECK company must notify the NCSC in advance of any penetration testing task they undertake which falls under the remit of the scheme. Notification should be sent at least 5 working days before the start of each task.
- A copy of the report, in line with the published reporting guidelines, must be sent to the NCSC within 4 weeks of it being issued to the customer.
Was this information helpful?
We need your feedback to improve this content.