DigitalXRAID

IT Health Checks (ITHC): Do You Know What Your Requirements Really Are?

Many organisations need to conduct an IT Health Check each year. They commission a supplier, receive a report, and tick the compliance box.

Yet a number of these organisations can’t confidently state that their IT Health Check actually meets current CHECK Scheme requirements, or would stand up to scrutiny if challenged by an auditor, regulator, or investigator after an incident.

That confidence gap matters. Expectations around IT Health Checks have changed, particularly following updates to the CHECK Scheme Standard in 2024. What was once loosely defined is now far more explicit.

Most importantly, some approaches that were previously accepted no longer meet the bar. In fact, others were never robust enough in the first place. The lack of clarity around requirements allowed these to persist.

In this guide, we’ll walk through what a UK IT Health Check really is, how it differs from penetration testing, what changed under the CHECK Scheme updates, and what you’re now expected to do differently. Get full clarity on your requirements, understand where organisations can commonly go wrong to avoid pitfalls, and takeaway practical guidance to help you select and challenge IT Health Check providers with confidence.

Table of Contents

Key Takeaways

  • An IT Health Check is not just a penetration test and not all assessments labelled ITHC meet CHECK Scheme requirements.
  • The 2024 CHECK Scheme Standard update clarified minimum expectations and removed long-standing ambiguity in delivery.
  • Automated, scan led approaches on their own no longer meet the intent of an IT Health Check in regulated environments.
  • Organisations remain accountable for the quality and defensibility of their ITHC, even when delivery is outsourced.
  • Understanding the updated requirements is essential to avoid audit failure, regulatory challenge, or false assurance.

IT Health Check

What is an IT Health Check (ITHC) in the UK?

An IT Health Check, often abbreviated to ITHC, is a structured cyber security assessment, designed to provide assurance that an organisation’s systems are resilient against credible threats.

An IT Health Check typically includes scoping, threat-led testing across major system components, vulnerability exploitation where appropriate, and a report that explains impact in your environment.

In the UK, the term has a specific meaning in the public sector and other regulated environments, particularly where government or critical services are involved.

The purpose of an IT Health Check

IT Health Checks exist to give assurance that systems handling sensitive or critical information are not exposed to avoidable technical weaknesses. They’re intended to identify vulnerabilities that could realistically be exploited by an attacker, not just list theoretical issues.

There’s an important distinction between assurance, compliance, and real security insight:

  • Compliance focuses on meeting defined requirements.
  • Assurance focuses on being able to demonstrate that those requirements have been met properly.
  • Real security insight focuses on understanding how your systems would behave under attack.

A good IT Health Check should deliver all three.

Simply passing an assessment isn’t the same as being defensible. If your organisation suffers a breach or is selected for audit, the question won’t be whether you commissioned an ITHC, but whether that CHECK ITHC genuinely assessed the risks you face, and was delivered in line with accepted standards.

Where ITHCs are typically required

IT Health Checks are most commonly required across the UK public sector, including central government departments, local authorities, and NHS organisations. They’re also expected in Critical National Infrastructure environments and other regulated sectors, where system failure or compromise could have serious public consequences.

Beyond formal mandates, ITHCs are often used to support third-party assurance, supplier onboarding, and audit activity. In these scenarios, the quality and credibility of the assessment can be just as important as the fact it exists.

IT Health Check vs Penetration Testing: Why the Difference Matters

One of the most common sources of confusion is the assumption that an IT Health Check is simply another name for a penetration test. While penetration testing is often part of an ITHC, the two are not interchangeable.

An IT Health Check isn’t just another pen test. It’s a broader assurance activity with defined expectations around scope, methodology, reporting, and governance.

Penetration testing services typically focus on identifying and exploiting vulnerabilities within a defined technical scope. An ITHC uses penetration testing techniques, but within a structured, threat-led framework, aligned to specific assurance objectives.

Penetration testing fits within an ITHC service as a means of validating whether identified threats can be realised in practice. The risk comes when organisations assume they’re equivalent services and commission a standard penetration test under the label of an ITHC.

This can result in gaps in coverage, insufficient depth, or reporting that doesn’t meet regulatory expectations.

IT Health Check Provider

The CHECK Scheme Explained (and Why It Matters More Than Ever)

The CHECK Scheme is the UK government’s assurance framework for Check Scheme providers delivering certain cyber security testing services into higher risk environments. CHECK Scheme requirements are designed to ensure testing is delivered consistently and produces evidence that stands up to scrutiny.

Understanding its purpose and limitations is essential if you’re responsible for commissioning an IT Health Check.

What the CHECK Scheme is designed to assure

The CHECK Scheme exists to give confidence that testing has been carried out by suitably qualified IT Health Check providers, using recognised methodologies. It’s overseen by the National Cyber Security Centre (NCSC), which sets expectations around competence, governance, and delivery quality.

CHECK is intended for environments where the consequences of compromise are significant. That includes systems connected to government networks, critical services, and sensitive data environments.

Who the CHECK Scheme is aimed at

One nuance that often gets missed is that the CHECK Scheme Standard is written primarily for ITHC providers, not customers. It defines how services should be delivered, how teams should be structured, and what quality looks like from the supply side.

For customers, this means you can’t assume that every ITHC service marketed as an ITHC automatically meets CHECK expectations. You’re expected to select UK Check Scheme providers who genuinely align with the scheme and to understand, at least at a high level, what compliant delivery looks like.

What Changed in 2024: The CHECK Scheme Standard Update Explained

The 2024 update to the CHECK Scheme Standard was a turning point for IT Health Checks in the UK. It addressed long standing ambiguity and significantly raised the baseline for acceptable delivery.

Why the 2024 update was necessary

Historically, guidance around IT Health Checks left room for interpretation. This led to inconsistent delivery across the market.

Some providers focused on depth and realism, while others delivered minimum effort assessments designed to reduce cost and time.

The result was a wide range of quality under the same ITHC label. Organisations believed that they were receiving equivalent assurance, when in reality the outcomes varied significantly. The update was designed to close that gap.

The CHECK Scheme Standard v1.1 in plain English

The updated standard clarifies what an IT Health Check should include, how it should be scoped, and how testing should be conducted and reported. It places greater emphasis on threat-led testing, manual validation, exploitation, and context-aware reporting.

In simple terms, the update makes it harder to deliver a superficial ITHC and still claim compliance. It also makes it easier for customers to challenge poor quality delivery if they know what to look for.

it health check uk

The Key IT Health Check UK Requirements You’re Now Expected to Meet

Commissioning an ITHC is no longer just about procuring a service. It requires informed decision making and active engagement.

PSN compliance requirements

Public Services Network (PSN) compliance places specific expectations on how IT Health Checks are scoped, delivered, and evidenced. Where systems connect to, support, or have a trust relationship with PSN-connected services, organisations are expected to demonstrate that technical risks have been assessed thoroughly and in line with recognised UK assurance standards.

PSN compliance also places emphasis on defensibility. If selected for audit or review, organisations must be able to evidence not only that an IT Health Check was conducted, but that it was scoped appropriately, aligned to credible threats, and delivered in a way that supports assurance decisions.

For organisations operating in PSN-aligned environments, understanding these expectations is critical.

Mandatory scoping and risk alignment

Scoping meetings are no longer optional. They’re a formal requirement designed to ensure the assessment reflects your actual risks. These sessions should involve risk owners and technical stakeholders who understand system architecture and business impact.

Poor scoping often results in arbitrary exclusions, unrealistic assumptions, or over reliance on sampling. In practice, this leads to blind spots that undermine the value of the assessment.

Threat-led testing, not tool-led scanning

Automated tools have a place in IT Health Checks, particularly for coverage and efficiency. However, heavy reliance on scanning without sufficient interpretation no longer meets expectations.

Manual validation, contextual analysis, and human judgment are essential to understand whether vulnerabilities are exploitable and meaningful in your environment. Low cost providers often shortcut this step, delivering volume over insight.

Testing each threat across each major system component

One of the most significant clarifications is the requirement to test each identified threat across each major system component. A major system component could be a network segment, application tier, identity system, or integration point.

Sampling approaches may reduce effort, but they increase risk. If a threat exists across multiple components, testing it in only one place may provide false assurance. This requirement has clear implications for time, effort, and cost, but it also delivers more credible results.

Exploitation and post-exploitation are not optional

Identifying vulnerabilities is only part of the story. Exploitation and post-exploitation demonstrate what an attacker could actually achieve, such as privilege escalation, lateral movement, or data access.

From an audit perspective, this evidence matters. It shows that risks were tested realistically, not just theorised. It also significantly increases the practical value of the report for remediation planning.

Reporting expectations have tightened

Reports are no longer expected to be generic technical outputs. Findings must describe potential impact in the context of your organisation. Risk ratings must be consistent and meaningful, not simply inherited from scanning tools.

Poor reporting creates problems downstream. It can confuse remediation efforts, mislead decision makers, and expose organisations during audits or investigations.

IT Health Check UK

Why Some Organisations Are Failing ITHCs (Without Realising)

Many organisations only discover problems with their IT Health Check when it’s too late. Common causes include engaging providers who don’t fully align with CHECK expectations, assuming that a lower cost is still delivering equivalent assurance, or failing to challenge scope and methodology upfront.

Issues often surface during audits, regulatory reviews, or post-incident investigations. At that point, the focus shifts from whether an ITHC was done to whether it was done properly. The reputational and regulatory consequences can be significant.

How to Evaluate an ITHC Provider

Selecting an ITHC provider is no longer a transactional decision. It’s a risk-based decision that carries long term consequences.

Why provider selection matters more than price

Cheap ITHCs often represent a false economy. Lower prices typically reflect reduced scope, limited manual effort, or minimal exploitation activity.

When something goes wrong, accountability doesn’t rest with the provider alone. It rests with the organisation that accepted the work.

IT Health Check Provider Checklist

Use this checklist to challenge IT Health Check service providers and validate whether their approach aligns with current expectations.

Scoping and governance

Do they run a formal scoping meeting?
Who is accountable as CHECK Team Leader?
How are risks identified and prioritised?

Testing methodology

How do they balance automation and manual testing?
Will they exploit vulnerabilities and perform post-exploitation?
How do they ensure full coverage across system components?

Reporting and assurance

Is impact tailored to your environment?
Is remediation clear and prioritised?
Will the report stand up to audit or regulator scrutiny?

Scheme alignment and competence

How do they demonstrate alignment with CHECK expectations?
How do they ensure tester competence and governance?
How do they protect your sensitive assessment data?

What “Good” Looks Like: Setting the Right Expectations Internally

Strong IT Health Checks start internally. Brief your stakeholders on why scope and depth matter. Be clear about the difference between compliance optics and defensible assurance. Justify appropriate budget by linking effort to risk reduction, not box-ticking.

Aligning security, compliance, and leadership expectations upfront reduces friction later and leads to better outcomes.

Final Thoughts: Are You Buying Assurance or Just a Report?

An IT Health Check should be a defensive asset, not just a document. Understanding your requirements is a key part of the process. The right provider helps you to meet those requirements, challenge assumptions, and stand up to scrutiny when it matters most.

Need Confidence That Your IT Health Check Meets Current CHECK Requirements?

If you want confidence that your IT Health Check service aligns with current CHECK Scheme expectations and delivers defensible assurance, speak to the DigitalXRAID team.

We understand both your technical and compliance landscape, and can provide you with clarity, depth, and standards-led delivery. If you’d like to discuss your environment or requirements, get in contact.

Cyber Protection - speak to an expert

FAQs: IT Health Check Requirements

What is an IT Health Check (ITHC)?

An IT Health Check is a structured cyber security assessment used in UK public sector and regulated environments to assess whether systems are resilient against realistic cyber threats.

Why do UK organisations need an IT Health Check?

UK organisations need ITHCs to demonstrate assurance for sensitive or critical systems, often to meet government, regulatory, or third-party requirements.

What are the benefits of government-aligned ITHC assessments?

They provide defensible assurance, clearer audit outcomes, and greater confidence that risks have been assessed using recognised standards.

What are UK IT Health Check requirements for PSN compliance?

PSN-related environments typically expect an ITHC delivered in line with CHECK Scheme principles, including threat-led testing and robust reporting.

What does an ITHC involve?

An ITHC involves scoping, threat identification, penetration testing techniques, exploitation, post-exploitation, and detailed reporting.

What is the required IT Health Check scope and methodology?

Scope should cover all relevant system components and threats, using a mix of automated and manual testing aligned to CHECK expectations.

Who can perform a CHECK scheme ITHC?

CHECK scheme ITHCs must be delivered by providers that meet NCSC CHECK Scheme requirements and operate under its governance model.

How often should you conduct an IT Health Check?

Frequency depends on risk, system change, and regulatory expectations, but many organisations perform ITHCs annually or after major changes.

What is the CHECK scheme and why does it matter?

The CHECK Scheme is the UK government framework that assures the quality and competence of certain cyber security testing services.

How much does an IT Health Check cost in the UK?

Costs vary based on scope, complexity, and depth of testing, but ITHCs that meet CHECK Scheme provider requirements require more time and specialist effort.

Difference between CHECK and CREST?

CHECK focuses on government-assured testing for high risk environments, while CREST provides broader industry certification to deliver CREST accredited penetration testing services.

Previous Article

The History of Hacking

Next Article

How to Block Hackers and Stop Cyberattacks

Protect Your Business & Your Reputation.

With a continued focus on security, you can rest assured that breaches and exploits won't be holding you back.

Speak To An Expert

cybersecurity experts
x

Get In Touch

[contact-form-7 id="5" title="Contact Us Form"]