Cyber Essentials 'Pathways': A New Approach to Cybersecurity Certification for Large Organizations

The UK’s National Cyber Security Centre (NCSC) is taking a significant step forward in cybersecurity certification with its Cyber Essentials Pathways initiative. Designed to address the challenges faced by large and complex organizations, this new approach offers an alternative route to achieving Cyber Essentials certification. The traditional Cyber Essentials framework, while effective, can be overly prescriptive for organizations with unique infrastructures or legacy systems. The Pathways experiment aims to provide flexibility while maintaining robust security outcomes^[1].

The initiative has now moved from an experimental phase to a Proof of Concept (PoC), which will run for 12 months and involve up to 40 large organizations. These organizations will work with certification bodies to test alternative technical controls that achieve the same security outcomes as the standard Cyber Essentials requirements^[2].

TL;DR

The UK’s National Cyber Security Centre (NCSC) is developing an alternative certification route called Cyber Essentials Pathways for large organizations struggling with traditional compliance.
The Pathways approach allows organizations to demonstrate equivalent outcomes through alternative technical controls, rather than strictly adhering to prescriptive measures.
A 12-month Proof of Concept (PoC) is underway, targeting up to 40 large organizations (250+ employees) to test the new certification process.
The PoC involves a 3-phase process, including traditional Cyber Essentials self-assessment, gap analysis, and testing of alternative mitigations.
Red Teams can leverage this initiative to identify potential gaps in organizations’ alternative controls during engagements.

The Pathways Approach: A New Route to Certification

The Cyber Essentials Pathways approach is designed for organizations that cannot implement some of the prescribed technical controls due to legitimate constraints, such as legacy systems or bring-your-own-device (BYOD) policies. Instead of adhering to the standard controls, organizations can demonstrate equivalent outcomes through alternative technical measures. These alternatives must be testable and technical, ensuring they provide comparable resilience against commodity cyber attacks^[3].

For example, a university with a BYOD policy might not be able to enforce strict device controls but could implement network segmentation and endpoint monitoring to achieve the same level of security. The Pathways approach allows such organizations to gain certification by proving the efficacy of these alternative measures^[4].

Proof of Concept: What to Expect

The 12-month PoC will involve a structured 3-phase process:

Traditional Cyber Essentials Assessment: Organizations will undergo a standard self-assessment and Cyber Essentials Plus testing to identify gaps.
Development of Alternative Tests: Certification bodies will design additional tests to verify the effectiveness of the organization’s alternative controls.
Testing and Certification: Organizations will undergo a final testing phase, potentially leading to Cyber Essentials and Cyber Essentials Plus certification.

The PoC will also involve developing new structures, processes, and materials to ensure the Pathways approach is scalable and commercially viable. The NCSC’s delivery partner, IASME, is leading this effort^[5].

Red Team Relevance

For Red Teams, the Pathways initiative presents both opportunities and challenges. Here’s how this development is relevant:

Identifying Gaps in Alternative Controls: Red Teams can focus on testing the effectiveness of alternative controls implemented by organizations. For example, if an organization uses network segmentation as an alternative to device-level controls, Red Teams can probe for weaknesses in the segmentation strategy.
Exploiting Legacy Systems: Organizations with legacy systems that cannot meet traditional Cyber Essentials controls may inadvertently introduce vulnerabilities. Red Teams can target these systems during engagements to highlight risks.
Testing Outcomes-Based Security: The Pathways approach emphasizes outcomes over compliance. Red Teams can simulate attacks to determine whether the organization’s alternative controls truly achieve the intended security outcomes.

Conclusion

The Cyber Essentials Pathways initiative represents a significant evolution in cybersecurity certification, offering flexibility for large organizations while maintaining robust security standards. By focusing on outcomes rather than prescriptive controls, the Pathways approach addresses the unique challenges faced by complex infrastructures.

For Red Teams, this development underscores the importance of understanding and testing alternative controls during engagements. As the PoC progresses, it will be crucial to monitor its outcomes and adapt offensive strategies accordingly.