IT Health Check

Female IT engineer using laptop in server room.

Take proactive measures to identify and address security vulnerabilities with our IT Health Check (ITHC).

The continuing rise in the volume and sophistication of cyber threats means that your institution needs reliable, proven, cost-effective ways to mitigate security risks.

As a CREST-accredited organisation, we offer a comprehensive ITHC service which comprises a series of controlled vulnerability scans and security control checks, designed to deliberately identify and expose security vulnerabilities that might be present in your IT environment.

All work is carried out by our in-house cyber security experts, who are experienced, trained and certified, at a cost-effective rate.

CREST logo


Jisc is a CREST-accredited provider of penetration testing.

CREST membership is an internationally-recognised badge of excellence in information security. 

How the ITHC service helps

An ITHC is now an annual mandatory requirement for many institutions and may also be needed by others to bid for certain government contracts.

The purpose of an ITHC is to provide assurance that your institution’s external systems are protected from unauthorised access or change, and do not provide an unauthorised entry point into internal systems. Internal systems are also tested for weaknesses in network infrastructure or individual systems that could allow one internal device to affect the security of others.

You’ll receive an ITHC report that shows the testing elements such as external testing and internal testing, and any vulnerabilities will be identified and associated with remedial action for reducing the risk.

It is not a pass or fail audit, but an assessment. As well as being an annual mandatory requirement for many institutions, it demonstrates good security controls and governance to protect your staff, students, and data. An ITHC also gives assurance to your suppliers, customers and stakeholders that controls are implemented and working correctly.

How the service works

An ITHC tests internal and external systems and the security measures and controls your institution has implemented. It identifies and exposes security vulnerabilities that might be present in IT solutions.

The ITHC service process involves the following steps:

  • External testing
  • Internal testing
  • Application testing
  • Server or endpoint build reviews
  • Network and firewall configuration reviews
  • Reporting

During testing, assessors mimic real-world attacks on an application, system, or network to identify vulnerabilities that could, without mitigation, be exploited. Real-world scenario tests allow us to evaluate existing security measures and identify gaps for security improvement.

An ITHC can determine how well the system tolerates real world-style attack patterns, the likely level of sophistication an attacker needs to compromise the system successfully, any additional countermeasures that could mitigate threats against the system, and the defender’s ability to detect attacks and respond appropriately.

We’ll help you to scope your ITHC

Getting the scope of an ITHC right is one of the most important aspects in ensuring that the ITHC is a worthwhile exercise and provides you with the correct level of assurance. Jisc will arrange and conduct a scoping call to discuss and agree this with you.

If a member is not confident that they meet the ITHC requirements, or that the ITHC has uncovered unexpected risks, Jisc can offer our Cyber Security Assessment (CSA) service.

Why use Jisc?

  • We have proven expertise in delivering cyber services to the education, public, private sector, and local authorities, being both CREST-approved and also endorsed by NCSC to CIR L2
  • We offer flexible services to meet different needs and budgets of our members
  • We ensure continuous improvement to cyber services through intelligence sharing
  • Our sector-specific threat intelligence is always current and industry leading
  • We are focused on future-proofing. Our security experts can offer workshops as part of an engagement upskill for your internal staff, and to enhance your testing and security capability for the future

Further information

To find out more about the ITHC service, contact your relationship manager.

You can also book a place on one of our cyber IT Health Check service clinics to gain an understanding of where the service sits among other Jisc services such as Cyber Essentials and penetration testing.


To find out more about the ITHC service please contact your relationship manager: contact your relationship manager.

How to buy

Crown Commercial Service Supplier logo

Jisc has been appointed as an approved supplier on the Crown Commercial Services dynamic purchasing system (DPS). The benefit for our members in purchasing through the DPS is that it allows public sector buyers to procure an extensive variety of cyber security services from a range of pre-qualified suppliers.

Visit the Crown Commercial Service (CCS) website for more information. The ‘how to buy’ section gives full details for registering as a buyer and navigating through the process.

NB: The Jisc ITHC and penetration testing services are not listed on the NCSC approved list since we are CREST accredited, not CHECK accredited.

The CCS runs regular webinars for customers explaining what and how to buy from the new cyber security DPS. See upcoming webinar sessions.

Service level description


Please ensure your organisation understands and adheres to the security policy.

Hours of service

The service is available during the business day.

The business day is defined as Monday to Friday. It excludes 24-31 December, all English public holidays and also the Tuesday following the August public holiday.

Service description

A service providing organisations with an IT health check (ITHC).

Your responsibilities

You are responsible on an ongoing basis for:

  • Ensuring that Jisc has up to date contact details of a suitable representative from within your organisation and any changes in responsibility promptly notified
  • Ensuring the list of authorised users is maintained where automated testing is employed.


Charges will be determined during the discussions of the requirements between you and Jisc.

Request for service

Request this service by contacting the service desk on tel: 0300 300 2212 or via email:

Service delivery time

You will be contacted to discuss requirements within three business days of receipt of a request for assistance.

Terms and conditions

Please ensure your organisation understands and adheres to the terms and conditions.


If you are experiencing an issue with the service and wish to escalate the issue, please contact us via the service desk on 0300 300 2212 or

ISO certification

This service is included within the scope of our ISO9001 and ISO27001 certificates.

Read more about International Organisation for Standardisation (ISO) standards and view Jisc certificates.

ISO 9001-2015 UKAS logo

ISO/IEC 27001 UKAS logo

Cyber essentials

This service is certified by Cyber Essentials and Cyber Essentials Plus for its internet-facing infrastructure, including firewalls and routers, located in the UK.

Read more about certifications and view Jisc certificates.

Cyber Essentials certificate

Cyber Essentials Plus certificate