Cyber Essentials for Schools and Colleges: Certification Guide and What It Covers
Cyber Essentials is the UK government's foundational cybersecurity certification scheme, managed by the NCSC. For schools, it has become the expected baseline: the DfE's January 2023 Cyber Security Standards explicitly build on Cyber Essentials, and the NCSC strongly recommends certification for all educational institutions. Yet many schools — particularly smaller primaries and single-academy trusts — have not yet achieved it, leaving them exposed to basic attacks that Cyber Essentials is specifically designed to prevent.
Cyber Essentials certification covers five technical controls that the NCSC says would prevent the majority of common cyberattacks — including the ransomware that took Harris Federation's 50 schools offline.
What Cyber Essentials Covers
Cyber Essentials focuses on five core technical controls that evidence shows would prevent the vast majority of common cyberattacks:
- Firewalls: boundary firewalls and internet gateways configured to block unauthorised access
- Secure configuration: devices configured securely, unnecessary software and services removed
- User access control: user accounts with only the access they need, administrator accounts limited
- Malware protection: anti-malware software deployed and up to date on all devices
- Patch management: operating systems and software patched within 14 days of a security update being released
Cyber Essentials vs Cyber Essentials Plus
There are two tiers of Cyber Essentials certification. Standard Cyber Essentials is a self-assessment questionnaire, verified by an approved certifying body. Cyber Essentials Plus adds independent technical testing — a vulnerability scan and hands-on assessment — carried out by the certifying body. For schools, standard Cyber Essentials is the appropriate starting point. Multi-academy trusts and further education colleges with more complex infrastructure may benefit from Cyber Essentials Plus, which provides stronger assurance and is increasingly required by cyber insurers.
JISC Support for Further Education
JISC — the Joint Information Systems Committee — provides dedicated cybersecurity support for further education colleges and universities in the UK. JISC negotiates subsidised Cyber Essentials rates for FE colleges, provides Janet network security services, and publishes an annual cyber threat report for the higher and further education sector. FE colleges should engage with JISC before pursuing Cyber Essentials certification independently, as subsidised routes and pre-assessment support may be available.
What Cyber Essentials Does Not Cover
Cyber Essentials is a baseline — it is not a comprehensive security framework. It does not cover social engineering and phishing training, incident response planning, physical security, backup and recovery, or third-party supplier risk. Schools that achieve Cyber Essentials certification should treat it as the starting point of a broader security programme, not the destination. The DfE standards require governance, incident response, and staff training in addition to the Cyber Essentials technical controls.
Frequently Asked Questions
How long does Cyber Essentials certification take for a school?
For a well-prepared school, the self-assessment questionnaire can be completed in a few days. However, most schools will need to address gaps first — deploying MFA, updating patching processes, or reconfiguring firewalls. A realistic timeline for a school starting from scratch is two to four months from initial assessment to certification.
Is Cyber Essentials free for schools?
Cyber Essentials is not free, but costs are modest. Certifying body fees typically start from around £300 for smaller organisations. JISC offers subsidised pricing for FE colleges. Some local authorities and academy trusts negotiate group rates. The NCSC's Schools Cyber Health Check tool is free and can help schools identify gaps before formal certification.
Do all schools in a multi-academy trust need separate Cyber Essentials certification?
It depends on the trust's IT infrastructure. If schools share a common network and IT environment managed centrally by the trust, a single MAT-level certification may cover all schools. If individual schools have independent IT systems, separate certifications may be required. This is a common question — certifying bodies can advise on scoping before the assessment begins.
Talk to us about Cyber Essentials for your school or MAT
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.