An alternate path to Cyber Essentials Plus certification, without compromising the integrity of the scheme.
Eugene Mymrin via Getty Images
Large organisations often tell us the same thing. “We want to achieve Cyber Essentials Plus, but the way we operate does not align with the technical controls that Cyber Essentials Plus requires.”
Complex architectures, legacy systems, and layered security requirements mean that a purely prescriptive approach can sometimes feel more like a constraint than something that enables better security outcomes.
Pathways was designed to respond to this challenge, providing a way for organisations to demonstrate that their controls deliver equivalent (or better) protection, even where they differ from the standard Cyber Essentials model.
Essentially, Pathways introduces flexibility without weakening trust.
It’s all about giving organisations more than one way to demonstrate that they are achieving the same overall outcome, rather than implementing the individual security controls. It effectively provides an ‘alternative pathway’ to achieving Cyber Essentials Plus certification, without compromising the integrity of the scheme.
Over the last 18 months, we’ve been running the Cyber Essentials Pathways Proof of Concept (PoC) to see if organisations can demonstrate that their alternate controls manage the risks covered by Cyber Essentials. This culminated in one of the PoC organisations demonstrating that they could achieve Cyber Essentials plus using the Pathways approach.
In this blog we’ll explain what worked with the PoC, what didn't, what needs to change, and what happens next.
What we learned
The NCSC worked with 22 organisations, alongside IASME and their Certification Bodies, to:
- test how alternative controls could be assessed against Cyber Essentials requirements in a structured and defensible way
- understand what additional guidance and governance would be needed
Some of what we learned confirmed our expectations, but some of it genuinely surprised us.
In areas like patching, network segmentation and the management of unsupported systems, we saw meaningful improvements, even where certification was still in progress. In some cases, patching timelines were reduced dramatically, and previously weak areas (such as BYOD security) were strengthened.
This matters because it reinforces a key principle; Pathways isn’t about certification for its own sake. It’s about improving how organisations manage risk in the real world, not just on paper. The Pathways process helped to shed light on where there was still risk and what form it took, allowing the organisation to plan how they would manage it.
One of the clearest findings was that organisations were not reluctant to engage, far from it. The barriers weren’t about intent; they were about reality:
- defining scope in highly complex environments
- navigating internal governance and decision making
- understanding what was required, and when
These are the practical challenges of operating at scale, and they help explain why progress was sometimes slower than we had expected.
The PoC encouraged closer collaboration between organisations and Certification Bodies than in a standard Cyber Essentials engagement. The Certification Bodies didn’t simply assess; they played a much more active role in helping organisations understand their environments, guiding scoping decisions and supporting remediation.
This increased engagement led to a better understanding of the intended outcome behind Cyber Essentials requirements. In fact, some organisations - having clarified and adapted their approach - were then able to achieve certification through the traditional route.
So Pathways isn’t just about creating an alternative route to certification; it’s also about helping organisations engage more effectively with the scheme overall.
Assessing alternative controls is not a simple mapping exercise. It requires a clear understanding of the intended outcome behind each control, and a structured way to assess whether that intent is being met, taking into account risk, coverage, and operational reality. Organisations need to clearly explain how their controls operate in practice, while assessors need a consistent way to evaluate that evidence without creating unnecessary burden. Where the appropriate evidence does not exist, the Certification Body needs to be able to carry out appropriate testing to assure themselves.
During the later stages of the PoC, closer involvement from the NCSC helped ensure consistency in decision-making. Without that, there is a real risk of variability in how equivalence is interpreted. Without boundaries, shared understanding, and practical examples, there’s a risk of inconsistency or misinterpretation. These guardrails are essential to allow the Pathways approach to scale effectively.
We recognise that a Pathways approach is likely to incur higher costs for organisations than the standard Cyber Essentials route. Assessing alternative controls demands additional effort from organisations to explain their approach, and from Certification Bodies to evaluate that approach and where necessary, undertake further testing. This reflects both the increased complexity and the more tailored nature of the approach, as well as the need for enhanced expertise within Certification Bodies to make sound judgments on alternative solutions.
The PoC did what we hoped it would do; it proved that the Pathways model works. However, it also showed where we need to simplify, clarify, and make the approach scalable and sustainable. In particular, further work is needed to refine the methodology, improve usability, and ensure consistent application.
During the pilot the increased risk from AI became very clear. At present, we assess that current AI capabilities are primarily being used by more sophisticated threat actors, so do not yet fall within the scope of Cyber Essentials (which is designed to protect organisations against attacks using publicly known tools and techniques).
However, we recognise that AI is likely to be used to develop of commodity attacks, and that organisations will have to prepare to patch quickly, more often, and at scale. We are also aware that many organisations continue to face challenges in meeting the 14-day patching requirement following a vendor’s release, as mandated by Cyber Essentials. We will continue to monitor these developments closely and work with DSIT on any future consultation regarding the evolution of the Cyber Essentials control set.
What happens next?
We’re now ready to take the next step; opening Pathways to a broader (but still carefully managed) set of organisations, and testing how Pathways operates within the existing Cyber Essentials ecosystem, including Certification Body and Assessor qualifications. During this phase, we will build our knowledge of what works in particular contexts, and refine the methodology and supporting guidance. This approach allows us to scale carefully, maintaining trust in the scheme while continuing to learn and adapt.
The NCSC will act as the authority for confirming that Cyber Essentials risk is being appropriately managed, working closely with IASME and Certification Bodies. Only when we have sufficient confidence and consistency in the approach will the NCSC step back.
If your organisation operates at enterprise scale and believes Cyber Essentials Plus outcomes are achievable but difficult to demonstrate through the traditional CE approach, get in touch to discuss suitability, readiness, and potential engagement routes.
Increasing flexibility, maintaining strength
Cyber Essentials remains a cornerstone of the UK’s cyber resilience. Pathways isn’t about changing that foundation; it’s about giving organisations more than one way to demonstrate that they are effectively managing the most fundamental risk faced on a day-to-day basis, without lowering the standard. Cyber Essentials works because it is clear, accessible, and trusted and remains just as relevant when countering today’s attacks. Pathways must protect those strengths, even as we introduce more flexibility.
We’re really grateful to all the organisations and Certification Bodies who contributed to the PoC. Their openness, expertise and willingness to work through new (and sometimes complex) challenges has been instrumental in getting us to this point. Personally, one of the most encouraging aspects has been seeing how organisations responded when given a bit more flexibility. Not by lowering the bar, but by engaging more deeply with what good security looks like in their environment.
Sentinel — Human
The text reads as a high-level summary or blog post based on a structured consultation, exhibiting the balance and contextual depth typical of expert journalism rather than pure synthetic generation.
