What is penetration testing?
Penetration tests (also known as pen tests) systematically identify and assess the extent of cyber security vulnerabilities in your networks and applications.
Testers (also known as ethical hackers) will use the same methods as cyber attackers to find and test security weaknesses that might be used to gain access to your systems.
They will then produce a security testing report that you can use to inform your choice of cyber security controls, helping you secure your organisation where it is most vulnerable to attack.
What is CREST?
CREST (the Council of Registered Ethical Security Testers) is an international accreditation and certification body for organisations and/or individuals within the technical information security market.
IT Governance is CREST certified for penetration testing and vulnerability scanning.
CREST ensures that accredited companies use the correct policies, processes and procedures to ensure quality of service and protection of client information. These organisations are assessed annually to ensure they meet the necessary standard.
Should my organisation use CREST?
If you want to assess where you are most at risk, using a CREST-registered company such as IT Governance will assure you that you benefit from the expertise of highly skilled, knowledgeable and competent testers.
All CREST member companies have been rigorously assessed to ensure they meet a high standard of engagement, using the most up-to-date methodologies to identify and test the latest vulnerabilities.
What is CHECK?
CHECK is the term for NCSC (National Cyber Security Centre)-approved penetration testing organisations and the methodology they use when testing.
CHECK services can only be offered by approved companies with experienced staff who hold NCSC-approved qualifications, and use methods recognised by the NCSC.
CHECK was developed for government departments, public-sector bodies and the organisations forming the UK’s critical national infrastructure.
Organisations in other sectors should use CREST.
Should my organisation use CHECK?
CHECK is required for government departments and their associated agencies:
- All systems processing data protectively marked ‘OFFICIAL’ will be assessed by organisations approved under CHECK.
- Requests for testing of systems processing data protectively marked ‘SECRET’ and above should be sent to the NCSC – which may recommend a CHECK organisation perform the task.
The NCSC strongly recommends that other public-sector bodies use CHECK companies “unless the system’s risk owner explicitly advises otherwise”.