IT Health Check

Our team assesses all internet-facing systems and assets that store, process or transmit sensitive data. This includes reviewing data security configurations, TLS implementations, firewall rules and network segmentation, and testing against OWASP Top 10 vulnerabilities. Automated and manual vulnerability scanning is conducted to identify external attack vectors.

Internal testing covers all in-scope assets including servers, databases, file systems and internal network infrastructure. We assess database security configurations, server and network hardening, internal firewall and security gateway configurations, wireless setups where applicable, and access controls including VPN and third-party access. Least privilege access enforcement is reviewed across all relevant environments.

Automated and manual vulnerability scanning is conducted across both external and internal environments. Findings are classified by criticality and CVSS score (version 3.0 or above), in line with NCSC and PDP reporting requirements.

A standard penetration test can be conducted by any CREST-accredited supplier. An IT Health Check specifically refers to the CHECK-scheme version of penetration testing, which is mandated for public sector use. CHECK-accredited suppliers are security-cleared, making them the only approved option for testing systems that connect to or process government data. CyberLab holds both CHECK and CREST accreditation.

A CyberLab ITHC covers external infrastructure testing, internal infrastructure testing, vulnerability scanning, application and API security assessment, remote access and VPN evaluation, and database security review. The exact scope is defined during the planning phase and agreed with your team to ensure it meets the specific code of connection requirements for your framework – whether that is PSN, G-Cloud, NHS DSPT or the Pensions Dashboards Programme.

Yes. Organisations connecting to the Pensions Dashboards Programme ecosystem – including pension providers, schemes and integrated service providers – must conduct an ITHC or penetration test and submit a report before connection is approved. The test must comply with the PDP code of connection and be conducted by a CREST or CHECK-accredited supplier. CyberLab is accredited under both schemes.

Timescales vary depending on the size and complexity of your environment. Straightforward ITHCs for smaller organisations can be scoped and delivered within a few weeks. For larger or more complex environments, or where multiple assets are in scope, the process takes longer. CyberLab offers next-day testing for urgent compliance deadlines – speak with our team to discuss your timeline.

You receive a comprehensive, audit-ready report that details all findings, including vulnerability descriptions, CVSS base scores (version 3.0 or above), severity classifications, potential impact assessments and specific remediation guidance for each finding. The report is formatted to meet the submission requirements for PSN, G-Cloud, NHS DSPT and PDP frameworks as applicable.

Most frameworks that require an ITHC specify that it should be repeated annually, or whenever significant changes are made to in-scope systems or infrastructure. Your CHECK-accredited supplier can advise on the appropriate frequency based on your specific framework requirements.

Yes. CyberLab has extensive experience working with NHS Trusts and healthcare organisations. Our consultants are SC-cleared and experienced in NHS DSPT requirements. We work with over 60 NHS organisations across the UK.

An ITHC must be conducted by a supplier accredited under the CHECK scheme, administered by the NCSC. CHECK Team Leaders (CTLs) lead the engagement, supported by CHECK Team Members (CTMs). All CHECK-accredited testers hold security clearance. CyberLab’s team includes 7 CHECK Team Leaders and 6 CTMs, all SC or NPPV3-cleared.