Compliance: More Than Just a Checklist

By Paul Armstrong: Vice Chair of Governors & Senior Cybersecurity Culture & Awareness Specialist, Secure Schools

The Department for Education has just updated its Academy Trust Governance Guide – Section 7: Compliance, and I’d really encourage fellow governors and trustees to take five minutes to read it.

Yes, it’s about compliance, but no, it’s not just another document. It’s a straightforward, plain-English guide to the day-to-day responsibilities that sit with trust boards. More than that, it’s a reminder that good governance isn’t just about knowing the rules; it’s about creating a culture where those rules are lived and felt throughout the organisation.

So, what’s changed in the June 2025 update? 🤔

The DfE has sharpened the focus on everyday accountability and governance visibility. Here are a few highlights that jumped out at me:

• More emphasis on website compliance, trusts are now reminded that statutory information must be updated, accurate, and easy to find. That’s not a web admin job,  it’s a governance responsibility.
• Greater clarity around risk compliance isn’t just about finance and health & safety anymore. Digital risk, data protection, and cyber resilience are listed.
• Stronger language around board responsibility, the new wording clarifies that “trustees must know what’s happening in practice”, not just rely on paperwork or assurances.

These updates reflect what many of us have been saying for a while: governance has to stay in step with the world, and communities in which schools operate, especially when that world is increasingly digital.

Why is it worth a read?

Let’s be honest: most of us didn’t become governors because we loved reading government guidance. But if we want to offer strategic oversight, we must get into the habit of reading this kind of guidance. It’s not about knowing every line... It’s about understanding what’s expected of us and ensuring our schools meet it.

This updated section on compliance is clear and readable. It strips things back to the essentials: what we need to be checking, what the law expects, and what good governance looks like in real, practical terms. It helps you ask better questions, isn't that the foundation of effective challenge and support?

What does this mean for us as governors?

It means we’ve got a role to play beyond policies and minutes. Compliance is:

• Asking whether the systems we have in place actually work for staff and pupils
• Checking in on whether policies are followed and understood
• Making sure that risks — including cyber risks — are being managed, not just recorded
• Supporting leadership teams with challenge and clarity, not blame
  
  

Cybersecurity is a good example. It’s no longer “just an IT issue.” The guidance is clear: data breaches, phishing threats, and digital infrastructure are all governance concerns. You don’t have to be a tech expert, but you need to know the right questions.

As I’ve probably stolen from someone cleverer than me:

“cybersecurity is no longer optional or technical background noise”.

It’s front and centre, part of your trust’s safeguarding culture. And yes, as governors, we’re just as responsible for it as we are for finance, health and safety, and child protection. If it’s on the risk register, it’s on our radar, whether it’s ransomware or a leaky roof.

Try these at your next board meeting:

Here are some example conversation starters to ask in your next board meeting, which directly relate to the latest wording in the government guidance: 

1. Ask when your website was last checked against statutory requirements.
   
   “Trusts must ensure their websites are compliant with statutory requirements and provide accurate information to the public.”
   
   
2. Find out who oversees digital safeguarding, and how confident they are in their systems.
   
   “Boards must ensure that IT systems and controls are secure, fit for purpose, and regularly reviewed.”
   
   
3. Review how cyber, data protection, and IT risks are reported to the board.
   
   “Boards must ensure risks are identified, monitored and mitigated... including cybersecurity threats.”
   
   
4. Include compliance on the agenda, not just as a tick-box but as an active discussion point.
   
   “Boards should ensure that appropriate policies and procedures are in place and being followed in practice.”
   

What can I do to learn more about these changes?

Governance isn’t about catching people out. It’s about building confidence in your staff, systems, and school’s ability to do the right thing daily.

The updated guide is a helpful tool to make that happen.

If you haven’t read it yet, take a look here. It might be the most useful five minutes of your week.

If you have more than five minutes, Secure Schools has also added the NCSC questions for governors and trustees to cyber score. This is a free-to-use tool and the easiest way to keep track of what you need to be doing as a governor or trustee to keep track of your school's latest cybersecurity requirements. 

Secure Schools will share more info on the latest changes to the Academy Trust Handbook guidance over the next few days for all facets of cybersecurity in schools. Tell your non-governor colleagues to keep an eye on our social channels for more information very soon!