How to Complete a Cyber Essentials Certification Check

Schools are prime targets for cybercriminals. In fact, recent government data suggests that a significant proportion of UK schools have experienced at least one cyber breach or attack in the last year.

Cyber Essentials is a UK government-backed framework designed to help organisations, regardless of size or sector, protect themselves against a whole range of the most common cyber threats. It is important to clarify that there isn't a separate Cyber Essentials for education/schools; rather, schools follow the same rigorous, industry-standard criteria as any other organisation. While the framework is used across all sectors, in the education sector, it serves as a guided, practical way to implement the fundamental security controls every school needs to safeguard students' and staff's data. 

Why Cyber Essentials is Essential for Schools

It's easy to feel overwhelmed by the complexity of cybersecurity, but the basics go a long way. According to the NCSC, implementing the five core controls can prevent 80% of common cyber attacks. 

Beyond the technical protection, achieving certification offers several key benefits:

1. Trust and reputation.

   It demonstrates a clear commitment to data protection to parents, governors, staff, stakeholders and the Department for Education (DfE). 

2. Financial benefits.

   Certified organisations are 92% less likely to make an insurance claim. Consequently, many insurers now offer reduced premiums for schools that hold a valid Cyber Essentials certificate. 

3. Compliance.

   It aligns your school with the growing expectations for digital security standards across the public sector. 

Understanding the Requirements

The certification focuses on five technical control themes. To keep it simple, think of these as the "five pillars" of your school's digital perimeter. Here's a non-technical breakdown of what each "pillar" consists of: 

1. Firewalls: Putting a "digital gate" between your school network and the internet.

2. Secure Configuration: Ensuring devices are set up safely, rather than using default "factory" settings.

3. Malware Protection: Using software to defend against viruses and malicious code.

4. Security Update Management: Keeping software up to date so hackers can't exploit old "holes" in the system.

5. User Access Control: Ensuring staff and students only have access to what they actually need, and restricting 'super admin' access so that only authorised users can make changes. 

It is important to remember that this isn't a "tick-box" exercise. It is an independently verified assessment of your school's actual posture. 

Choosing Your Path: To Consult or Not to Consult? 

When pursuing Cyber Essentials for education, you have two primary routes: the non-consultancy route and the consultancy route. Your choice depends on your internal technical confidence and the complexity of your school's network.

The Non-Consultancy Route

This is a solo journey through the certification process: 

Step 1: After purchase, you receive the self-assessment questionnaire.

Step 2: You complete and submit to IASME (the National Cyber Security Centre's delivery partner).

Step 3: You pass or fail. If you fail twice, you are required to repurchase the application and start again. 

The Consultancy Route (recommended for schools)

This is a collaborative process, executed by Secure Schools, and designed to put your school in the best position to have a successful application:

Step 1: You receive the self-assessment form.

Step 1a [if required/requested]: You attend a one-to-one consultancy session with our experts to walk through the requirements. 

Step 2: Think of this as a mock exam. We review your hardware, software, and processes, giving feedback on what needs to change to meet the standard. Before you officially submit, we'll let you know if you are likely to pass. 

Step 3: Secure Schools provides final guidance, assesses your application, and issues the pass/fail result. 

Why Schools Need a Specialist

Applying for a certification within an educational setting involves unique variables that don't always exist in a standard business office. From managing diverse "Bring Your Own Device" (BYOD) policies for students and staff to securing specialised classroom technology and creative software, the infrastructure of a school is a distinct ecosystem. A specialist approach ensures that these educational requirements are balanced with the rigorous security standards of the Cyber Essentials framework. 

We provide a named point of contact who speaks the language of schools and trusts. We understand how classroom tech differs from a corporate office and how a Multi-Academy Trust (MAT) manages its centralised data differently from a standalone school.

With a track record of helping over 850 organisations achieve certification, we know exactly where the common pitfalls lie and how to avoid them. 

How to Get Started 

Cyber Essentials is available for all UK schools and trusts, regardless of size. Secure Schools' Cyber Essentials consultancy is a standalone service available for all UK primary and secondary schools and trusts. Click the link below to book a consultation with our team and discover the best path for your school.

Book a consultation with our experts here.