Three UK schemes, one procurement question: which do you actually need?
UK buyers come to penetration testing through procurement. A customer, a regulator, or an insurer has asked for evidence that your security has been independently verified, and somewhere in the ask is an alphabet soup: CREST, CHECK, Cyber Essentials, Cyber Essentials Plus, ISO 27001, IASME. This article flattens the three that matter most for private-sector UK businesses into a single decision framework.
CREST — the industry standard for private-sector penetration testing
CREST (Council of Registered Ethical Security Testers) is a non-profit industry body that accredits firms and individual testers across penetration testing, red teaming, incident response, and threat intelligence. For private-sector UK buyers — SaaS, e-commerce, fintech, healthtech — a CREST-accredited firm is the default answer.
CREST accreditation operates at two levels. Firm-level accreditation means the company has been assessed on its processes, insurance, staff vetting, and delivery quality. Individual certifications sit on top — CREST Registered Tester (CRT) is the entry-level qualification, CREST Certified Tester (CCT) is the senior one, with separate streams for web application (CCT App), infrastructure (CCT Inf), and mobile. See our CREST certification explainer for the detail.
Best fit: any UK private-sector business that needs an external penetration test for customer procurement, ISO 27001, SOC 2, or cyber insurance renewal. Effectively all private-sector UK pen testing should be CREST-accredited.
CHECK — the NCSC scheme for HMG systems
CHECK is operated by the National Cyber Security Centre (NCSC, part of GCHQ). It exists specifically to govern penetration testing of His Majesty's Government systems, and its remit is narrow and deliberately so. CHECK Team Members and Team Leaders are individuals security-vetted at SC or higher who meet NCSC's technical bar. CHECK-accredited firms are a smaller set than CREST firms.
CHECK is required for testing HMG systems, certain critical national infrastructure, and a handful of public-sector frameworks. It is not a substitute for CREST — the two schemes have different scopes, not different rigour levels. CREST covers a broader range of services; CHECK covers a specific use case with additional vetting.
Best fit: any organisation that operates or contracts to operate HMG systems or critical national infrastructure; government suppliers bidding into frameworks that require CHECK-certified testers.
Cyber Essentials and Cyber Essentials Plus — the UK baseline
Cyber Essentials is a UK-government-backed certification scheme focused on five baseline controls: boundary firewalls, secure configuration, access control, malware protection, and patch management. It was designed to give SMEs a clear, affordable way to demonstrate they have the basics in place.
Two tiers:
- Cyber Essentials — a self-assessment questionnaire reviewed by a certification body. Good for demonstrating the basics; not hands-on.
- Cyber Essentials Plus — a hands-on technical assessment by a certifying body. An assessor scans your external infrastructure, tests endpoint patching and configuration, and verifies that the controls actually work.
Neither tier performs application-layer penetration testing. They are about the boundary and endpoint hygiene. If a customer specifically asks about your web application's security, Cyber Essentials Plus alone is not the answer — you need a pen test.
Cyber Essentials is a precondition for many UK public-sector contracts. It is a good thing to hold regardless; cost and effort are low compared with CREST or CHECK.
Best fit: every UK business. Required for a lot of public-sector work and increasingly expected in private-sector procurement too.
Quick comparison
| Dimension | CREST | CHECK | Cyber Essentials Plus |
|---|---|---|---|
| Who runs it | CREST (industry body) | NCSC | NCSC + certifying bodies |
| Scope | Private-sector pen testing | HMG + critical infrastructure | Baseline controls |
| Covers app-layer testing? | Yes | Yes (HMG systems only) | No |
| Tester vetting required | CREST technical exams | SC or higher clearance + NCSC exam | N/A (controls-focused) |
| Typical cost (web app) | £4k–£15k | £5k–£25k | £1.5k–£3k |
| Renewal | Annual recommended | As required | Annual |
How to decide
Work through these questions in order:
- Do you sell to UK government or operate on HMG systems? If yes, you will need to work with a CHECK-accredited firm for the specific systems in question. CHECK is scoped narrowly, so you may still need CREST for other engagements.
- Do you bid into public-sector contracts? If yes, you almost certainly need Cyber Essentials (basic). Cyber Essentials Plus is stronger and often mentioned in procurement documents.
- Do enterprise customers ask for your pen test report? If yes, you need a CREST-accredited pen test with a proper report. Cyber Essentials Plus will not satisfy this ask.
- Are you pursuing ISO 27001 or SOC 2? A CREST pen test is the most efficient way to evidence the technical-testing controls. See our SaaS compliance playbook for the full mapping.
Most UK SaaS and e-commerce businesses end up with some combination of Cyber Essentials Plus (for procurement hygiene) and an annual CREST pen test (for deep assurance and customer-facing reports). CHECK only enters the picture if you work on HMG systems.
The individual matters more than the badge
A CREST-accredited firm is a necessary but not sufficient signal. The most important question is which individual tester runs your engagement. A firm with a roster of CCT-qualified testers is a strong signal; a firm that will not name the lead tester until contracts are signed is a weak one. Ask early and get the name in writing.
The same applies to CHECK. CHECK Team Leader is a meaningful qualification; CHECK Team Member is the entry level. A scheme badge on the sales deck tells you the firm is in the scheme. It does not tell you who will actually be testing your system.
What "right" looks like for a mid-market UK SaaS
For a typical £5M–£50M ARR UK SaaS selling to enterprise and mid-market customers, a sensible security-assurance stack looks like:
- Cyber Essentials Plus — annual, covers the basics, useful in procurement.
- CREST-accredited external penetration test — annual, covers the application and API layer.
- ISO 27001 — optional but increasingly expected for enterprise deals; uses the pen test as one of its evidence items.
- SOC 2 Type II — if you sell into the US market.
CHECK is not in this stack. It is only relevant if you contract to HMG.
YUPL's penetration testing service is CREST-accredited at the firm level, with named CCT-certified testers on every engagement. If you are mapping out which of these certifications your business needs next, book a scoping call and we will walk you through the options specific to your procurement pressure.
About the author. Spencer Schotel is CTO of YUPL, a CREST-accredited UK agency specialising in Laravel engineering and penetration testing.