Cyber Resilience Testing

Cyber Resilience Testing (CRT)

Demonstrate that your software is secure, resilient, and designed for real-world cyber risk.

Cyber Resilience Testing (CRT) is an outcome-based cyber security assurance assessment that demonstrates whether internet-connected software products are designed, developed, and maintained with security and resilience at their core.

CRT uses an National Cyber Security Centre-approved methodology and is delivered by approved Cyber Resilience Test Facilities such as GRC. It provides organisations, buyers, and risk owners with clear, evidence-based assurance, without the limitations of rigid, checklist-driven certification models.

Why Cyber Resilience Testing matters

Organisations need confidence that the software they rely on is secure in practice, not just compliant on paper.
Cyber Resilience Testing provides a flexible yet robust framework that enables software vendors to demonstrate how their products meet recognised cyber security and resilience principles-while supporting modern development methods and innovation.
Unlike traditional certification approaches, CRT:

Outcome-Focused Security

Focuses on security outcomes rather than pass/fail checklists

Real-World Threats

Reflects real-world threats and operating conditions

Risk-Based Decisions

Supports risk-based decision-making for buyers and stakeholders

Supply Chain Assurance

Provides meaningful assurance across complex digital supply chains

What we test

Cyber Resilience Testing evaluates products against the NCSC Assurance Principles and Claims framework, structured across five key themes:

Secure design and development

Build environment security

Secure deployment and maintenance

Communication with customers

Product-specific usage, design, and operation

Each theme defines high-level principles that represent recognised good practice (for example, following an established secure development framework).
GRC works collaboratively with product teams to:

Define clear claims against each principle

Identify relevant supporting evidence

Assess how effectively the product meets the intent of the principles

How we test

Our assessment approach is practical, proportionate, and evidence-led.
Testing typically includes review of:

Policies, standards, and development processes

Historical Service Desk tickets and issue tracking records

Product roadmaps, governance documentation, and meeting minutes

We also evaluate live and operational evidence, including:

Screenshots of technical configurations and security settings

Demonstrations of system behaviour

Witnessed testing activities where appropriate

This ensures assurance is based on how the product is actually built, operated, and maintained.

Standards and schemes covered

Cyber Resilience Testing applies the Principles-Based Assurance (PBA) methodology defined by the NCSC.

GRC is an approved Cyber Resilience Test Facility, authorised to deliver CRT assessments using this approach.

What you get

Cyber Resilience Testing does not issue certificates.
Instead, the outcome is a Product Assessment Report, which can be shared with customers, procuring organisations, and internal stakeholders.
The report provides:

Clear assessment against each assurance principle

Documented weaknesses or limitations in claims

Practical, risk-aligned insight to support decision-making

This delivers meaningful, real-world assurance, aligned to actual risk rather than theoretical compliance.

Talk to GRC about Cyber Resilience Testing

If you need to demonstrate the security and resilience of your software product, or require clear, credible assurance to support procurement and risk decisions, GRC can help.