What is Cyber Essentials Pathways?

Cyber Essentials Pathways is a specialised version of the Cyber Essentials and Cyber Essentials Plus frameworks. However, it is currently only available to large or enterprise-sized organisations. IASME, the official delivery partner of the Cyber Essentials scheme, uses the number of employees as a criterion to determine the size of a company. Specifically, organisations with 250 or more employees are classified as large and are eligible to apply for Pathways.

Unfortunately, if you belong to a smaller organisation, the Pathways program is not available to you at this time. Nevertheless, it is beneficial to stay informed about this initiative. Changes or expansions to program availability could occur in the future, and being knowledgeable about Pathways will prepare you to take advantage of the scheme if and when it becomes accessible to smaller entities.

What is Cyber Essentials Pathways?

Cyber Essentials Pathways serves as an alternate route for large organisations to achieve certification in both Cyber Essentials (CE) and Cyber Essentials Plus (CE+) frameworks. For those companies that find it challenging to meet the standard requirements of these certifications, Pathways offers a solution. It allows these organisations to implement "Alternative Technical Controls" (ATCs) that may not directly align with the CE standards but still adhere to robust security practices. The effectiveness of these ATCs is then assessed through a security review, such as a penetration test, to validate their efficacy. This alternative pathway ensures that large organisations can remain secure and certified, even when conventional compliance is not feasible.

Why does Cyber Essentials Pathways exist?

Many large or enterprise-level companies sometimes face difficulties in complying with the stringent requirements of the Cyber Essentials (CE) certifications. This stems from the rigorous and specific standards that must be met. For instance, a common challenge for large organisations is the CE requirement to patch critical and high-security vulnerabilities within 14 days of a patch's release. The logistics of deploying patches across numerous devices, particularly for sizeable patches, can overwhelm both internal and external teams, making it difficult to meet the 14-day deadline.

This scenario is just one example; there are numerous other standards that might be unachievable for larger organisations. However, these companies often have other security measures in place to mitigate the risks associated with vulnerable infrastructure. These measures are referred to as "Alternative Technical Controls" (ATCs). In the case where the organisation is unable to patch vulnerabilities within 14 days, an Alternative Technical Control might be network restrictions such as IP whitelisting, so the vulnerable servers cannot be accessed from the internet, or network segmentation with strict firewall rules and access control lists that manage traffic flow and minimise access and exposure. This could be complemented by continuous monitoring tools such as Intrusion Detection and Prevention Systems (IDPS) or Web Application Firewalls (WAF).

Pathways offers an opportunity for large originations to gain Cyber Essentials certification while not having patch or fix vulnerabilities, the Alternative Technical Controls must be applied to gaps in security such as:

• Missing security updates / End of life software
• Exposed legacy network services
• Weak authentication protocols

Cyber Essentials Pathways acknowledges these alternative strategies by allowing large companies to validate their ATCs through a tailored penetration test conducted by a certified body. If these ATCs prove effective, the organisation can then achieve Cyber Essentials and Cyber Essentials Plus certifications. This not only provides certification but also gives additional assurance that their ATCs are effective mitigations against potential security threats.

It's important to emphasise that ATCs must consist of Technical Controls, and alternative mitigations like risk assessments, policies, or procedures alone cannot be used as substitutes. While these administrative controls can support and complement the ATCs, they are not included as part of the certification testing process. Hence, they cannot serve as standalone solutions for meeting certification requirements.

How is the Pathways certification process conducted?

Note: the following diagram is not an exhaustive manual for conducting a Cyber Essentials Pathways Assessment but rather details the overall methodology adopted by Claranet Cyber Security when performing a Pathways assessment.

The process, while comprehensive, is structured to be fairly straightforward for large organisations. The initial step involves engaging with a preferred certification body (CB). Together, the organisation and the CB will review the requirements of both Cyber Essentials (CE) and Cyber Essentials Plus (CE+) and evaluate any potential challenges in meeting the standards’ requirements. A gap analysis might also be conducted to determine the necessity of pursuing the Pathways option.

With sufficient data and evidence, the CB and the organisation can then decide if Pathways is the only feasible route to certification. Although using Pathways should generally be seen as a last resort—since aligning technical controls directly with the standard requirements provides the best security, is more cost-effective, and streamlines the certification process—it remains an option when standard compliance is unachievable. It’s important to note that certification through Pathways is not guaranteed, as the decision ultimately lies beyond the CB's control.

Should Pathways be deemed necessary, the next step involves both the organisation and the CB applying directly to IASME to initiate the process. Here’s a high-level overview of the subsequent phases:

If successful, the organisation will be awarded the standard Cyber Essentials and Cyber Essentials Plus certifications. As with most frameworks and audits, if issues arise, remediation and possibly re-testing might be necessary, or the test results may not be accepted, thus precluding the achievement of Cyber Essentials certification.

How much does it cost?

It's important to note that the cost of the Pathways process can be considerable. This includes fees payable to the certification body (CB) for services such as the CE verified self-assessment (VSA), CE+ audit, and the bespoke penetration test, as well as fees to IASME for the moderation process. Additional costs may also arise for a gap analysis, if required. For more detailed information, we recommend contacting your certification body or Claranet if you do not yet have a partner for Cyber Essentials.

How can Claranet help?

As one of the leading certification bodies in the UK for Cyber Essentials, Claranet is highly recommended for the extensive support it offers to larger organisations, especially those with sensitive and critical information systems. Our expertise in delivering CHECK-approved penetration testing, combined with our team of dedicated assessors and testers, allows us to guide companies through the certification process.

At Claranet, we view Cyber Essentials as an opportunity for continuous improvement rather than just an audit. We enable organisations to demonstrate their security posture and their resilience against cyber threats, so they can meet their auditing and compliance requirements and provide assurances to their key stakeholders that they are meeting widely-accepted security standards. Through training, consultancy, audits and assessments, we provide organisations with a roadmap for minimising cyber security risks to your business.

Contact us to if you do not yet have a partner for Cyber Essentials, or to find out how we can help you meet your auditing and compliance requirements.