CREST vs CHECK Certification: UK Penetration Testing Accreditations Compared

If you are looking for a penetration testing provider in the UK, you will quickly encounter two prominent accreditations: CREST and CHECK. Both signal quality and competence, but they serve different purposes and are governed by different bodies. Understanding the distinction is important for making the right procurement decision.

What Is CREST?

CREST (the Council of Registered Ethical Security Testers) is an international not-for-profit accreditation body for the cybersecurity industry. Founded in 2006, it accredits both companies and individual testers. CREST is recognised across the UK, Europe, Asia-Pacific, and increasingly in North America.

For a company to gain CREST accreditation, it must demonstrate robust processes, quality management, data handling procedures, and employ testers who hold CREST qualifications. The organisation undergoes a rigorous assessment that evaluates its testing methodology, reporting standards, and operational security.

Individual testers can hold several CREST certifications. The most recognised are CREST Registered Penetration Tester (CRT), which is the entry-level professional qualification, and CREST Certified Tester (CCT), which comes in infrastructure and application variants and represents a senior level of expertise. There is also the CREST Certified Simulated Attack Manager (CCSAM) for red team leads.

CREST accreditation is widely accepted across the private sector. Many enterprise procurement processes, particularly in financial services, require CREST-accredited testing. It is also recognised by regulators and industry bodies.

What Is CHECK?

CHECK is the UK government's scheme for assuring the quality of penetration testing services provided to public sector organisations. It is administered by the National Cyber Security Centre (NCSC), which is part of GCHQ.

CHECK status is specifically designed for testing UK government systems, networks, and infrastructure. To achieve CHECK status, a company must first hold CREST accreditation, then undergo additional assessment by the NCSC. Individual testers working on CHECK engagements must hold specific qualifications.

CHECK Green status means the company can test at standard sensitivity levels. CHECK status (sometimes informally called CHECK approved) covers a broader range of government testing. The NCSC maintains a list of CHECK-approved companies that public sector organisations can use for procurement.

Key Differences Between CREST and CHECK

Scope of application is the most significant difference. CREST accreditation is relevant across all sectors, both public and private, and internationally. CHECK is specifically for UK government and public sector testing. If you are a private company, CREST accreditation is what you should look for. If you are a UK government body, you need a CHECK-approved provider.

Governing body is another distinction. CREST is an independent industry body. CHECK is a government scheme run by the NCSC/GCHQ. This gives CHECK particular authority and credibility for public sector work.

Requirements differ as well. CHECK builds on top of CREST. A company must be CREST-accredited before it can apply for CHECK status. CHECK then adds additional requirements around tester vetting, security clearance, and operational procedures specific to government environments.

Cost implications are worth noting. CHECK-approved providers typically charge a premium over CREST-only providers, reflecting the additional requirements, security clearances, and overhead involved in maintaining CHECK status.

Which Do You Need?

If you are a UK government department or public sector body, you should use a CHECK-approved provider for testing government systems. This is often a procurement requirement.

If you are a private sector organisation, CREST accreditation is the standard to look for. It provides strong assurance of testing quality and methodology. Many compliance frameworks and enterprise buyers specifically require CREST-accredited testing.

If you are pursuing PCI DSS compliance, you need a PCI ASV (Approved Scanning Vendor) for automated scanning and may want a QSA (Qualified Security Assessor) for the overall assessment. However, CREST-accredited testers are widely accepted for the manual penetration testing component.

Other Accreditations Worth Knowing

CBEST is a threat intelligence-led penetration testing framework specifically for the UK financial sector. It is overseen by the Bank of England and requires CREST-accredited providers.

TIBER-EU is the European framework for threat intelligence-based ethical red teaming, similar to CBEST but for European financial institutions.

Cyber Essentials and Cyber Essentials Plus are UK government-backed certification schemes. Cyber Essentials Plus requires a hands-on technical verification, but this is not the same as a full penetration test.

ISO 27001 is an information security management system standard. While not specific to penetration testing, many providers hold this certification to demonstrate their own security practices.

Individual tester certifications also matter. Look for OSCP (Offensive Security Certified Professional), CREST CRT/CCT, GXPN (GIAC Exploit Researcher and Advanced Penetration Tester), and similar recognised qualifications.

Making Your Decision

Start by clarifying your requirements. If compliance mandates a specific accreditation, that narrows your choices. If you have flexibility, CREST accreditation is a reliable baseline that signals professional, quality-assured testing.

Browse our provider directory to filter by accreditation and compare CREST and CHECK-approved penetration testing companies side by side. You can also read reviews from other organisations to understand the real-world quality of each provider's work.