{"id":25867,"date":"2025-12-15T13:08:54","date_gmt":"2025-12-15T12:08:54","guid":{"rendered":"https:\/\/cyberinsights.iainfraser.net\/?p=25867"},"modified":"2026-03-16T12:27:59","modified_gmt":"2026-03-16T11:27:59","slug":"ncsc-check-scheme","status":"publish","type":"post","link":"https:\/\/smecyberinsights.co.uk\/index.php\/2025\/12\/15\/ncsc-check-scheme\/","title":{"rendered":"PENETRATION TESTING: What the NCSC CHECK scheme means for UK SMEs buying penetration testing"},"content":{"rendered":"\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\"SECURUS\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\"PENETRATION\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t
Image Credit:Freepik<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t

Gibraltar:\u00a0 Monday, 15 December 2025 \u2013 13:30 CET<\/p>\n

PENETRATION TESTING: What the NCSC CHECK scheme <\/strong>means for UK SMEs buying penetration testing
\n<\/strong>By: Iain Fraser<\/a>\u00a0\u2013\u00a0Cybersecurity Journalist
\n<\/a>Published in Collaboration with SECURUS Communications<\/a>
\nGoogle Indexed AIO on: 151225 at 15:00 CET <\/a>
\nSMECyberInsights.co.uk<\/a> | First for SME Cybersecurity News<\/a>
\n#SMECybersecurity #SMECybersecurity #SMEStrategy #Securus #GoldStandard #SecurityStrategy #FWaaS #ManagedSecurity<\/em><\/p>\n

\ufeff<\/span>\ufeff<\/span><\/p>\n<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t

\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t

What is the NCSC CHECK scheme and what benefits will this afford SMEs<\/strong><\/p>\n

The NCSC CHECK scheme is a UK government assurance framework for penetration testing of public sector and critical national infrastructure systems; it does not certify tests for private firms, but it does set a high assurance bar. For UK Small & Medium Enterprises<\/a>, CHECK requirements are a practical benchmark for selecting and managing penetration testing providers.<\/p>\n

Intro: the opportunity and risk for UK SMEs<\/strong><\/p>\n

For UK Small & Medium Enterprises<\/a>, the NCSC\u2019s CHECK scheme is a useful yardstick for judging penetration testing quality, even if you never buy a formal CHECK test. In 2024 the NCSC tightened entry rules for providers, linking CHECK to Cyber Essentials Plus and UK Cyber Security Council titles. For SME leaders, this arrives as cyberattacks, regulatory expectations and supply chain demands are all increasing.<\/p>\n

The CHECK scheme is a trusted NCSC framework that assures companies to conduct penetration testing on government and critical national infrastructure systems. While it is aimed at public sector testing, the criteria NCSC sets for CHECK companies highlight what \u201cgood\u201d looks like when you buy a penetration test.<\/p>\n

Key implications for UK SMEs:<\/strong><\/p>\n

* Treat CHECK criteria as a quality benchmark <\/strong>when choosing a provider.<\/p>\n

* Expect stronger focus on data protection and handling<\/strong>; CHECK firms must hold Cyber Essentials Plus.<\/p>\n

* See CHECK status as a signal<\/strong>, not the only proof of competence; many capable SMEs and consultancies are outside the scheme.<\/p>\n

* Use CHECK\u2011style expectations in contracts to reduce supply chain and regulatory risk<\/strong>.<\/p>\n

Align penetration testing with\u00a0ICO expectations<\/strong>\u00a0around risk assessment and data protection by design.<\/p>\n

Authoritative insight: what NCSC and others are saying<\/strong><\/p>\n

The NCSC explains that CHECK is \u201cthe scheme under which NCSC assured companies can conduct authorised penetration tests of public sector and CNI systems and networks\u201d and sets specific entry criteria for providers, including Cyber Essentials Plus and UK Cyber Security Council professional titles for team leaders (accessed 2025) .<\/p>\n

The Department for Science, Innovation and Technology (DSIT) reported in the 2024 Cyber Security Breaches Survey<\/em> that 32% of UK businesses identified a cyber breach or attack in the previous 12 months, rising to 59% for medium\u2011sized firms. The survey also notes that smaller organisations are less likely to take systematic actions such as regular security testing.<\/p>\n

The ICO\u2019s monetary penalty notices and casework show that inadequate technical and organisational measures, including poor vulnerability management, remain a recurring theme in UK enforcement decisions. For SME owners, this links directly to how rigorously you test and fix weaknesses in your systems.<\/p>\n

What CHECK provider criteria actually require<\/strong><\/p>\n

From the NCSC\u2019s Information for CHECK providers<\/strong> page, any company applying must currently:<\/p>\n

* Maintain an in\u2011date Cyber Essentials Plus <\/strong>certificate covering all systems where customer engagement information is stored or processed.<\/p>\n

* Supply at least two penetration test reports <\/strong>done under their company name and written by at least one proposed CHECK Team Leader.<\/p>\n

* Ensure all proposed CHECK team members are eligible for SC clearance<\/strong>(a UK government security clearance level for sensitive work).<\/p>\n

* Have at least one proposed CHECK Team Leader who holds a UK Cyber Security Council Professional Title in Security Testing at Principal or above<\/strong>.<\/p>\n

For SME buyers, this means:<\/strong><\/p>\n

A CHECK\u2011assured company has passed\u00a0both technical and governance<\/strong>\u00a0scrutiny by NCSC.<\/p>\n

The firm should have\u00a0mature reporting<\/strong>, as NCSC reviews example reports.<\/p>\n

Staff have been screened to a level suitable for\u00a0government work<\/strong>, which is relevant if you handle sensitive or defence\u2011adjacent contracts.<\/p>\n

However, many excellent UK testing firms will not be CHECK providers because they do not work with government or do not need SC\u2011cleared staff. Lack of CHECK status is not an automatic red flag; it simply means you must be more deliberate with due diligence.<\/p>\n

SME\u2011specific impact: budgets, skills and supply chain exposure<\/strong><\/p>\n

For UK Small & Medium Enterprises<\/a>, the CHECK scheme affects penetration testing indirectly, through expectations set by government and larger customers.<\/p>\n

Common SME realities:<\/p>\n

Tight budgets<\/strong><\/p>\n

Full CHECK\u2011assured tests may be overkill unless you service government contracts.<\/p>\n

However, using CHECK criteria in your procurement helps you spend limited security budget more wisely.<\/p>\n

Limited in\u2011house skills<\/strong><\/p>\n

Many SMEs lack internal security architects who can evaluate test quality.<\/p>\n

CHECK guidelines and NCSC buyer advice help you ask sharper questions and avoid low\u2011value \u201ctick\u2011box\u201d tests.<\/p>\n

Supply chain pressure<\/strong><\/p>\n

Larger customers increasingly demand evidence of robust testing.<\/p>\n

Being able to say you use providers aligned with NCSC expectations can help satisfy questionnaires and audits.<\/p>\n

Regulatory exposure<\/strong><\/p>\n

Under UK GDPR, the ICO expects \u201cappropriate technical and organisational measures.\u201d Regular vulnerability and penetration testing is often part of that story, especially where you handle high\u2011risk personal data.<\/p>\n

Benefits for SMEs that use CHECK as a benchmark<\/strong><\/p>\n

Using the CHECK scheme as a north star gives UK SMEs practical, grounded benefits even if you never commission a formal CHECK test.<\/p>\n

Strategic benefits:<\/p>\n

Stronger assurance for boards and investors<\/strong><\/p>\n

Demonstrates that testing is aligned with recognised UK government standards.<\/p>\n

Better alignment with public sector and CNI buyers<\/strong><\/p>\n

Helpful if you already supply, or aim to supply, government, NHS or regulated utilities.<\/p>\n

Operational wins, with examples:<\/p>\n

Higher quality reports<\/strong><\/p>\n

CHECK\u2011style reporting makes it clearer which vulnerabilities are exploitable in the real world and how they map to business impact, so your teams can prioritise scarce remediation resources.<\/p>\n

Improved data handling<\/strong><\/p>\n

Requiring Cyber Essentials Plus levels of control for systems holding test artefacts reduces the risk of test data itself being leaked.<\/p>\n

More realistic testing<\/strong><\/p>\n

CHECK companies are experienced at testing live, sensitive systems without causing disruption; useful if you have critical applications that cannot easily be taken down.<\/p>\n

Better supplier governance<\/strong><\/p>\n

Embedding CHECK\u2011aligned clauses in contracts (secure storage, staff vetting, clear scope and rules of engagement) helps avoid misunderstandings and unmanaged risk.<\/p>\n

Quick action steps for SME leaders<\/strong><\/p>\n

Here are pragmatic steps UK Small & Medium Enterprises<\/a> can take without turning into security auditors.<\/p>\n

Clarify why you are testing<\/strong><\/p>\n

Define whether the driver is regulatory duty (eg ICO expectations), customer requirements, insurance or simple risk reduction. Cost: free; 1\u20132 hours with IT and operations.<\/p>\n

Check your own basics first<\/strong><\/p>\n

Align with NCSC guidance and consider Cyber Essentials or Cyber Essentials Plus before buying advanced testing. Cost: CE from low thousands; improves overall posture.<\/p>\n

Use CHECK criteria in your RFPs<\/strong><\/p>\n

Ask providers whether they meet or approximate the CHECK requirements (eg CE Plus, SC\u2011eligible staff, recognised professional titles), even if they are not in the scheme. Cost: free; improves quality.<\/p>\n

Demand sample reports<\/strong><\/p>\n

Ask for a redacted penetration test report. Check that it is clear, prioritised and business\u2011focused, similar to what NCSC expects from CHECK submissions. Cost: free; 1\u20132 hours review.<\/p>\n

Define scope and data\u2011handling rules in writing<\/strong><\/p>\n

Specify which systems are in scope, what is out of bounds, and how test data will be stored and deleted. Align with your data protection policies and ICO guidance. Cost: some legal time, but prevents major issues.<\/p>\n

Tie testing to remediation and retest<\/strong><\/p>\n

Budget not only for the initial test but for fixes and a focused retest of high\u2011risk issues. This is what regulators and insurers will expect if something goes wrong. Cost: variable; high value.<\/p>\n

Keep an audit trail<\/strong><\/p>\n

Store contracts, reports and remediation evidence in a central, access\u2011controlled location. Vital if you face an ICO investigation or major customer due diligence. Cost: negligible.<\/p>\n

Looking ahead: what SME leaders should watch<\/strong><\/p>\n

The bar for professional penetration testing in the UK is steadily rising as NCSC, the UK Cyber Security Council and regulators sharpen expectations. You can expect more emphasis on formally recognised professional titles, clearer reporting and assured schemes for different types of testing. For SME leaders, the direction of travel is clear; ad\u2011hoc \u201ccheap pen tests\u201d with thin reports will become harder to defend to boards, customers and regulators.<\/p>\n

Using CHECK as a reference point keeps your approach aligned with UK best practice, even if your business is far from Whitehall.<\/p>\n<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"PENETRATION\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\n\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\tMeet Securus<\/span>\n\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/a>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\"SECURUS\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t
<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t

SECURUS Communications Ltd<\/strong><\/p>\n

Securus<\/a> <\/strong>is a managed communications Operator, providing next-generation network infrastructure and value added services to Managed Hosting providers and the ‘cloud generation’\u200b of enterprises. Securus<\/a> <\/strong>priority is to offer communication services that represent excellent value for money and are backed by exceptional levels of support.<\/p>\n

Contact Securus<\/strong>
\nSecurus Communications Ltd
\nStation Road, Landmark house, Hook, England RG27 9HA, GB
\nT: Enquiries:\u00a003451 283457<\/span><\/a>\u00a0| Service Desk: 03451 283458<\/a>
\nSecurus on LinkedIn<\/a> | Securus on “X”<\/a> | https:\/\/securuscomms.com<\/a><\/p>\n<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t

\n\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t\t

\n\t\t\t\t\t<\/span>\n\t\t\t\t\tLatest Posts from SECURUS Communications<\/span>\n\t\t\t\t\t<\/span>\n\t\t\t\t<\/h2>\n\t\t\t<\/div>
\n\n
\n
\n\n
\n \n \n \"AI-Powered <\/a>\n\n \n