Skip to main content
← Back to Resources

Is Your School Cyber Essentials Ready? A Simple Checklist

17 March 2026 · Hurst Technology

Cyber Security Cyber Essentials Compliance

Cyber attacks on schools are increasing. Ransomware, phishing, and data breaches are no longer problems reserved for large corporations — schools are a target because they hold valuable personal data and often have limited IT resources. Cyber Essentials is a government-backed certification scheme that helps organisations protect themselves against the most common cyber threats. Here’s how to assess whether your school is ready.

What Is Cyber Essentials?

Cyber Essentials is a straightforward certification that focuses on five key technical controls. It’s not about achieving military-grade security — it’s about getting the fundamentals right. Think of it as the digital equivalent of locking your doors and windows.

There are two levels:

  • Cyber Essentials — a self-assessment questionnaire verified by an external certifying body
  • Cyber Essentials Plus — includes all of the above, plus a hands-on technical audit

For most schools, starting with the standard Cyber Essentials certification is the right move. It’s affordable, achievable, and demonstrates to parents, governors, and the DfE that you’re taking cyber security seriously.

The 5 Control Areas: Your Checklist

1. Firewalls

Firewalls control what traffic can enter and leave your network. They’re your first line of defence against external threats.

Check these:

  • You have a firewall in place at your network boundary (between your network and the internet)
  • Default admin passwords on your firewall have been changed
  • Firewall rules are reviewed at least annually
  • Unnecessary open ports have been closed
  • Personal firewalls are enabled on all devices that connect to untrusted networks (e.g., staff laptops used at home)

2. Secure Configuration

This is about making sure your devices and software aren’t left in their default, often insecure, state.

Check these:

  • Default passwords have been changed on all devices and accounts
  • Unnecessary software has been removed from school devices
  • Auto-run and auto-play features are disabled
  • Screen locks are configured on all devices (with a reasonable timeout)
  • Guest and unused accounts have been disabled or removed

3. Access Control

Only the right people should have access to the right things. This control is about managing user accounts and permissions properly.

Check these:

  • Every user has their own individual account (no shared logins)
  • Admin accounts are only used for admin tasks, not day-to-day work
  • Staff accounts are removed promptly when someone leaves the school
  • Multi-factor authentication (MFA) is enabled on all cloud services (Microsoft 365, Google Workspace, MIS platforms)
  • Permissions follow the principle of least privilege — staff only have access to what they need

4. Malware Protection

Malware — including viruses, ransomware, and spyware — is one of the most common threats schools face.

Check these:

  • Antivirus or anti-malware software is installed on all devices
  • Malware definitions are updated automatically and regularly
  • Users are prevented from installing unapproved software
  • Email filtering is in place to catch malicious attachments and links
  • Staff have received basic awareness training on recognising phishing emails

5. Patch Management

Unpatched software is one of the easiest ways for attackers to get in. Keeping everything up to date is essential.

Check these:

  • Operating systems are set to update automatically (or are patched within 14 days of an update being released)
  • Applications (browsers, Office, PDF readers) are kept up to date
  • Unsupported software (anything that no longer receives security updates) has been removed or replaced
  • Firmware on network devices (firewalls, switches, access points) is kept current
  • There’s a process in place for testing and deploying updates — ideally managed through a tool like Microsoft Intune or WSUS

How Did You Score?

If you ticked most of the boxes above, you’re in good shape to pursue certification. If there are gaps, that’s completely normal — and now you know exactly where to focus.

The most common areas where schools fall short are:

  • MFA not enabled on cloud platforms — this is one of the single most effective security measures you can take
  • Shared accounts still in use, particularly for admin or MIS access
  • Unpatched devices — especially older machines that have fallen off the update cycle
  • No staff training — technology alone isn’t enough; your staff need to know what to watch for

How to Get Started

  1. Use this checklist to do an honest self-assessment
  2. Prioritise the gaps — focus on quick wins like enabling MFA and removing shared accounts first
  3. Talk to your IT provider — if they can’t help you with Cyber Essentials, that’s a red flag
  4. Choose a certifying body — the NCSC website lists approved Cyber Essentials certifying bodies
  5. Set a target date — having a deadline keeps things moving

Cyber Essentials certification is well within reach for any school. It’s not about being perfect — it’s about having the right foundations in place.

You can learn more on our Cyber Security page. If you’d like help assessing your readiness or working through certification, get in touch.

Want to discuss this with us?

Book a Consultation