TL;DR
- CTLs must hold a minimum UK Cyber Security Council title of Principle.
- CTMs must hold a Practitioner title by March 2026.
- CHECK companies require Cyber Essentials Plus.
- Expect frequent, detailed NCSC report reviews.
- Only CTLs can write reports, keep language neutral.
- Stay current with CPD, Training and NCSC masterclasses.
Chartership and professional titles
UKCSC has announced that the CHECK Team Leaders and CHECK Team Members will be required to have a professional title in order to continue delivering work under the CHECK scheme.
What does Chartership mean for the CHECK Scheme?
UKCSC runs the professional titles system. It sets out the standards for the cyber industry, much like other professions. Accountants, Engineers etc.
Under CHECK, this means:
- Practitioner = CHECK Team Member (CTM). Shows you can test and are working on your development.
- Principal = CHECK Team Leader (CTL). Shows leadership, experience, and responsibility for engagements.
- Chartered = CHECK Team Leader (CTL), top level. A wealth of experience and contribution in cyber.
This means testers are now assessed not only on technical skill, but also on their professionalism, ethical conduct, and commitment to ongoing learning.
Testing practices under CHECK
One of the biggest shifts in the updated Scheme Standard is around the testing itself. CHECK has always been about more than running a vulnerability scan, but NCSC are now being clearer on what that means in practice.
A few things stand out:
Scoping first
The scope must be clearly defined and agreed upon with the client before testing begins. It should state what is in and out of scope, confirm the schedule, and explain how risks will be managed. NCSC requires a written scope covering both external and internal systems, with representative vulnerability scanning of endpoints, servers, network devices and key applications, using credentialed scans where possible. For large estates, sampling is allowed but must cover at least ten per cent of the environment, with higher coverage giving more accurate results.
Methodology
CHECK testing must follow the NCSC method: reconnaissance, analysis, exploitation, and post-exploitation. The difference now is the push to show how weaknesses can be used and combined into realistic attack paths, not just listed one by one.
Risk aware
Exploitation should be safe and controlled. The point is to prove a risk, not cause downtime. NCSC have made it clearer that testers must think about business impact, not just technical gain.
Evidence based
Reports need proper evidence and plain explanations, so the client understands both the technical flaw and the business risk. This isn’t new, but it’s being reinforced after NCSC QA showed too many reports were still “tool output dumps”.
Clean up
Any accounts, scripts, or files created during a test must be removed at the end. Again, not new, but flagged more strongly now as clients raised concerns about leftovers.
Team accountability
A Primary CTL must always be responsible and available during testing. They also own the final report. NCSC have underlined this point to stop confusion over who is accountable.
The bottom line
CHECK is not vulnerability scanning, and NCSC is tightening up how that’s enforced. Automated scanners can throw out hundreds of findings, many of them false positives. Under CHECK, testers are expected to validate results, show realistic exploitation, and explain the actual business impact. The focus is now firmly on risk and remediation, not just raw data.
Reporting in the CHECK Scheme
Reporting under the CHECK scheme has become far more rigorous. NCSC has increased both the number and frequency of report reviews. Each report must now meet clear criteria to pass quality assurance. This means using neutral, professional language throughout, including an executive summary written for non-technical readers, and structuring findings so that clients can clearly prioritise fixes. Reports should also assign clear severity ratings and provide tailored, actionable recommendations to guide remediation efforts.
Reporting standards: https://www.ncsc.gov.uk/files/CHECK-Scheme-Standard.pdf
It is important to understand that if reports do not meet the CHECK criteria, it is possible that the primary CTL on the job could risk losing their CHECK status.
Staying current
To maintain CHECK status, testers must stay active and engaged within the scheme. This means carrying out CHECK assessments regularly to keep skills current, attending at least two NCSC events or masterclasses each year, and maintaining accurate records of all training and continuing professional development (CPD) activities in case they are reviewed. Technical Leads are ultimately responsible for the quality of reports issued under their supervision and for ensuring that every member of their team continues to develop professionally.
Apply for your UKCSC title now, don’t wait. Applications are made through one of the UK Cyber Security Council’s licensed professional bodies, such as CIISec or BCS. Choose the level that matches your role and submit evidence of your experience, ethics, and professional development.
Renewal requirements
The rules for staying in the CHECK scheme have shifted. You no longer need to submit a CTM or CTL pass certificate from Crest or the Cyber Scheme. Instead, the key to renewal is holding the right Chartership title for your level.
Here’s where it gets a little tricky. UKCSC still expects proof of technical competence when you submit. The good news? If you had a valid pass certificate when you applied for your Chartership, you’re covered for the next three years, even if that exam technically expires in the meantime.
We know there’s still some grey area here, and both UKCSC and CHECK are expected to release more detail on how renewals will work going forward. As soon as they do, we’ll break it down for you so you can stay ahead of the curve.
Conclusion
The overhaul of the CHECK scheme is big. The threshold has been raised with the implementation of Chartership, report reviewing and detailed testing requirements. Technical ability is no longer the only requirement. Testers must show that they are both responsible and professional when conducting these engagements.
The key is to write reports that go beyond tool output, keep your title up to date, and make sure your work explains real risks and business impact with clear fixes.
