Find the answers, start the journey
Please note at The Cyber Scheme we are phasing out the term Penetration Tester, having replaced it with Security Tester in line with The UK Cyber Security Council’s industry specialisms.
Penetration testers (otherwise known as pen testers and security testers) are the so-called “ethical hackers,” or the good guys. Penetration testers are hired by network system owners and web-based application providers to probe for vulnerabilities that hackers might be able to exploit to gather valuable data and intelligence, which can then be sold on or used to hold the company to ransom.
Testers simulate actual cyber attacks using a wide range of methods, in their attempt to discover vulnerabilities in security protocols for networks, systems, and web-based applications.
The goal is to find gaps in security systems before the real hackers can get in. As a result, pen testers often work on highly confidential and time-sensitive projects, hence the need for measures such as CHECK to be in place.
The NCSC is the UK’s ‘technical authority’ for cyber incidents. It is part of GCHQ, one of the UK’s security services, and was formed in 2016 to provide a unified national response to cyber threats.
The NCSC acts as a bridge between industry and government, providing a unified source of advice, guidance and support on cyber security, including the management of cyber security incidents. Find out more here.
CHECK is the term for the NCSC approved penetration test companies and the methodology used to conduct a penetration test. Companies providing CHECK services do so using staff who hold NCSC approved qualifications and have suitable experience. Penetration tests are conducted using NCSC recognised methods and the subsequent report and recommendations are produced to a recognised standard.
NCSC traditionally provided IT health check services to identify vulnerabilities in IT systems and networks which may compromise the confidentiality, integrity or availability of information held on that IT system for HM Government and the wider public sector.
Due to growing demand, a partnership with industry was deemed necessary. The IT Health Check Service, or CHECK, was developed to enhance the availability and quality of the IT health check services that are provided to Government in line with HMG policy. Companies belonging to CHECK are measured against high standards set by the NCSC.
The NCSC and The Cyber Scheme work in collaboration to provide a set of examinations that are acceptable to industry and meet the requirements of private and public sectors. The NCSC now requires all existing and future CHECK Team Leaders and Members to have passed an approved professional examination designed to test for a basic grounding in the discipline.
NCSC will accept a pass from one of our examinations when approving CHECK Team Member and Team Leader status.
Security Clearances: SC and DV
There are a range of security clearance levels for different roles within the cyber security industry.
Among the most common high-level security clearances in the UK are Security Check (SC) and Developed Vetting (DV). These are both rigorous processes and will be vital for anyone seeking a career in areas such as central government or defence.
Understanding Security Check clearances
SC clearance is the most common form of security clearance in the UK. Being SC cleared is a requirement for any role that involves frequent access to documents classified as Secret, or occasional supervised access to Top Secret files in government or defence organisations.
To receive SC clearance, a candidate will need to have been a UK resident for at least five years and undergo the following:
Completion of BPSS
A full security questionnaire
Checks on criminal records, credit and financial history, and Security Service records
A review of work history, including personal files, staff reports, sick leave returns and security records.
SC checks usually take a minimum of six weeks to complete.
The requirements for Developed Vetting
DV is the highest government security clearance in the UK and is required for personnel who will require frequent and uncontrolled access to Top Secret material, either directly as part of their job or indirectly.
As the most thorough form of vetting, you’ll need to have been a UK resident for a minimum of ten years to apply for DV clearance and you can expect the process to take up to nine months to complete.
In addition to the same types of checks required for SC clearance, the vetting procedure for DV jobs includes a detailed interview with an Investigating Officer for both the candidate and their referees.
Those who hold a DV clearance will be required to renew it after a maximum of seven years.
CTM = CHECK Team Member, the term applied by NCSC
The CSTM exam you take with The Cyber Scheme = Cyber Scheme Team Member. The terms are essentially interchangeable, with CSTM being the brand name for our CTM-level exam.
CTL = CHECK Team Leader, the term applied by NCSC
The CSTL exam you take with The Cyber Scheme = Cyber Scheme Team Leader. The terms are essentially interchangeable, with CSTL being the brand name for our CTL-level exam.
We offer two CTL-level exams, CSTL-INF (Infrastructure) and CSTL-Web App (Web Applications). There are no requirements for a pass in one exam before taking another; if you have any questions about your readiness to take an exam please get in touch.
Passing an exam with The Cyber Scheme is one of the mandatory assurance checks undertaken by the National Cyber Security Centre (NCSC) before CHECK Team Member or Leader Status can be awarded. The Cyber Scheme cannot award CHECK status, but do award Certificates recognised by NCSC as confirmation that the necessary technical standard for CHECK has been met.
Join Our Newsletter
Sign up here for industry news, education resources and ongoing initiatives. You can unsubscribe at any time.