NCSCITHealthCheck(ITHC)

An IT Health Check (ITHC) is a structured security assessment of an organisation's IT estate, conducted under the NCSC CHECK scheme. It covers internal infrastructure, external perimeter systems, wireless networks, remote access controls, and configuration reviews of key systems. The ITHC is the primary compliance mechanism for organisations connecting to the Public Services Network (PSN) and Health and Social Care Network (HSCN), and provides technical assurance evidence for GovAssure submissions. It is distinct from a commercial penetration test in that it is mandatory for many public sector organisations, conducted by NCSC CHECK-accredited and security-cleared consultants, and reported in a format accepted by government accreditors. Historically referred to as the CESG IT Health Check before CESG's functions transferred to NCSC.

CREST is an industry certification body covering commercial penetration testing. CHECK (NCSC CHECK scheme) is a UK government scheme operated by the National Cyber Security Centre, mandatory for testing government systems and PSN-connected networks. Key differences: CHECK consultants are individually vetted and hold government security clearance (SC or DV); CHECK methodology is aligned to NCSC requirements; CHECK reports are accepted by the PSN Authority, Cabinet Office, and HSCN accreditors where CREST-only reports are not. If your organisation connects to PSN, GovAssure, or HSCN, or if your contract specifies CHECK-approved testing, you require a CHECK-accredited provider. You can verify Precursor Security's CHECK listing on the NCSC directory.

GovAssure requires central government departments to submit an annual self-assessment against the NCSC Cyber Assessment Framework (CAF). While the self-assessment is completed internally, it must be supported by independent technical evidence, including the results of a CHECK-accredited security assessment. Our GovAssure-aligned ITHC maps findings to specific CAF objectives (covering 'Managing Security Risk', 'Protecting Against Cyber Attack', 'Detecting Cyber Security Events', and 'Minimising the Impact of Incidents') and provides reporting in the format required to substantiate your CAF self-assessment ratings. We can advise on how to align the ITHC engagement timeline with your annual GovAssure submission cycle.

Yes. We have delivered ITHC assessments for NHS Trusts and health sector organisations with HSCN connectivity. Our assessments scope the HSCN connection boundary as well as relevant internal systems, with testing protocols designed to avoid disruption to live clinical services. Findings are mapped to NHS Data Security and Protection Toolkit (DSPT) requirements where applicable, supporting your annual DSPT submission. If you are uncertain whether a full CHECK ITHC or a targeted network assessment is required for your specific HSCN compliance obligations, we provide pre-scoping advisory at no charge.

The Public Services Network (PSN) is the UK government's secure network infrastructure. Organisations that connect to PSN (including local authorities, police forces, fire services, and NHS bodies) must maintain a Code of Connection (CoCo) that demonstrates their security posture meets PSN Authority requirements. A mandatory element of CoCo compliance is an annual IT Health Check conducted by a CHECK-accredited provider. The ITHC demonstrates that your organisation's connected systems do not introduce vulnerabilities to the wider PSN. Without a valid ITHC from a CHECK-accredited provider, your PSN Code of Connection cannot be renewed. Loss of PSN connectivity disrupts core public services including revenues and benefits systems, HR, and inter-agency data sharing. We provide end-to-end PSN ITHC services including scope documentation advice, testing, remediation guidance, and final report delivery in the format required by the PSN Authority.

NCSC IT Health Check pricing typically ranges from £8,000 to £25,000+ depending on scope, estate size, and security clearance requirements. Small district councils or arm's-length bodies (internal, external, wireless, two build reviews) start from £8,000. Medium unitary or county councils and NHS Trusts with additional cloud tenants and multiple sites typically fall in the £10,000-£18,000 range. Large central government departments requiring full estate coverage, multiple domains, and DV clearance typically range from £18,000-£25,000+. We provide fixed-price quotes after reviewing your scope documentation. All testing is delivered by CHECK-accredited, security-cleared consultants. See the pricing breakdown in our ITHC FAQ above, or contact us for a scoping call. Bring your IP range count and we will provide a quote within 48 hours.

For most UK public sector organisations connected to the PSN (Public Services Network), an annual ITHC is a mandatory requirement for Code of Connection (CoCo) compliance. ITHC is also required for HSCN connectivity (NHS), GovAssure (central government departments), and organisations handling OFFICIAL-SENSITIVE or higher classified data.

From scoping to accreditor-accepted report in 6-8 weeks. Step 1 (scoping and documentation review): Week 1-2. Step 2 (testing phases, onsite and remote): Weeks 2-5. Step 3 (remediation window and re-testing): Weeks 5-7. Step 4 (final report and accreditor submission): Week 7-8. Comprehensive testing typically requires 5-10 days onsite plus additional time for external testing and reporting. We can advise on timeline alignment with your PSN renewal or GovAssure submission cycle.

Internal vulnerability scanning cannot satisfy ITHC requirements for several reasons: (1) PSN Code of Connection explicitly requires testing by CREST-accredited external providers. Internal assessment does not satisfy this mandate. (2) GovAssure requires independent third-party assessment against the NCSC CAF, (3) Internal teams lack the adversarial mindset and exploitation skills to identify attack chains that scanners miss, (4) CHECK accreditation ensures your report is accepted by the PSN Authority, HSCN, and other accreditors, (5) External consultants with SC or DV clearance can test classified environments without creating insider risk, and (6) Fresh perspective identifies vulnerabilities that teams familiar with their own systems overlook. Most public sector organisations use internal IT for continuous monitoring while engaging CHECK teams for annual compliance testing.

No. Local authorities handling citizen data and connected to PSN or HSCN face the same compliance requirements as larger departments: (1) PSN Code of Connection applies regardless of authority size, (2) Ransomware groups specifically target smaller authorities knowing they have fewer resources. The 2024 Redcar and Cleveland attack cost £10.4M in recovery. (3) LGA Cyber 360 and the National Cyber Strategy require demonstrated security improvements, (4) Citizen data (council tax, benefits, housing, social services) is equally valuable to attackers regardless of population served, and (5) Shared services arrangements mean your vulnerabilities could cascade to partner authorities. We offer streamlined ITHC packages for smaller authorities starting from £8,000, a fraction of breach recovery costs and essential for maintaining PSN connectivity.

Yes. Modern ITHCs almost always include Azure and AWS tenants as major government workloads have moved to the cloud. We assess cloud configuration, identity management, and the security of hybrid connectivity between cloud and on-premise environments.