Large organisations often tell us the same thing. “We want to achieve Cyber Essentials Plus, but the way we operate does not align with the technical controls that Cyber Essentials Plus requires.”
Complex architectures, legacy systems, and layered security requirements mean that a purely prescriptive approach can sometimes feel more like a constraint than something that enables better security outcomes.
Pathways was designed to respond to this challenge, providing a way for organisations to demonstrate that their controls deliver equivalent (or better) protection, even where they differ from the standard Cyber Essentials model.
Essentially, Pathways introduces flexibility without weakening trust.
It’s all about giving organisations more than one way to demonstrate that they are achieving the same overall outcome, rather than implementing the individual security controls. It effectively provides an ‘alternative pathway’ to achieving Cyber Essentials Plus certification, without compromising the integrity of the scheme.
Over the last 18 months, we’ve been running the Cyber Essentials Pathways Proof of Concept (PoC) to see if organisations can demonstrate that their alternate controls manage the risks covered by Cyber Essentials. This culminated in one of the PoC organisations demonstrating that they could achieve Cyber Essentials plus using the Pathways approach.
In this blog we’ll explain what worked with the PoC, what didn’t, what needs to change, and what happens next.
