NCSC reports progress on Cyber Essentials Pathways pilot

The UK’s National Cyber Security Centre (NCSC) says its Cyber Essentials Pathways proof of concept has shown that some organisations can meet the scheme’s security goals through alternative controls,...

The UK’s National Cyber Security Centre (NCSC) says its Cyber Essentials Pathways proof of concept has shown that some organisations can meet the scheme’s security goals through alternative controls, without lowering the standard expected for Cyber Essentials Plus.

The pilot was created for larger organisations whose environments do not always fit neatly with the prescriptive requirements of the baseline scheme. According to the NCSC, the aim is to preserve confidence in certification while allowing organisations to demonstrate equivalent protection in different ways.

What the pilot tested

Over the past 18 months, the NCSC worked with 22 organisations, alongside IASME and certification bodies, to examine whether non-standard controls could be assessed in a structured and defensible way. The work also looked at what governance, guidance and oversight would be needed if the approach were expanded.

The NCSC said the exercise produced both expected and unexpected findings. In several cases, the process helped organisations improve patching, segmentation and the handling of unsupported systems. Some participants also strengthened areas such as bring-your-own-device security while certification was still being considered.

Key findings

  • Alternative approaches can lead to measurable security improvements, not just compliance changes.
  • The main barriers were complexity, scope definition and internal decision-making rather than lack of interest.
  • Closer collaboration between organisations and certification bodies improved understanding of the control objectives behind Cyber Essentials.
  • Clear, proportionate evidence is essential when assessing equivalent controls.
  • For now, NCSC oversight remains important to keep decisions consistent.

In one pilot case, an organisation was able to demonstrate Cyber Essentials Plus through the Pathways method. The NCSC also noted that some participants, after refining their approach, went on to complete certification through the standard route instead.

Overall, the agency says the pilot suggests Pathways may be useful both as an alternative route to certification and as a way to help organisations better understand and improve their cyber hygiene. Further development will depend on the guidance and governance needed to support broader use.