Cyber Essentials for Schools: Frequently Asked Questions
Cyber Essentials is the NCSC's baseline cybersecurity certification and the foundation of the DfE Cyber Security Standards. Schools across England are working towards or considering Cyber Essentials — but many have questions about what it actually involves, how much it costs, and whether it is right for their institution. This FAQ answers the most common questions we receive from schools about Cyber Essentials.
Cyber Essentials certification demonstrates that a school has implemented the five technical controls the NCSC says would prevent the majority of common cyberattacks.
What Is Cyber Essentials and Why Do Schools Need It?
Cyber Essentials is the UK government's baseline cybersecurity certification scheme, administered by IASME on behalf of the NCSC. It covers five technical controls: boundary firewalls, secure configuration, user access control, malware protection, and patch management. The NCSC states that these five controls, properly implemented, would prevent the majority of common cyberattacks. Schools need Cyber Essentials because the DfE Cyber Security Standards are explicitly built on it — meeting Cyber Essentials satisfies most of the technical requirements of the DfE standards. It also provides independent verification of the school's security posture, is increasingly required by cyber insurers, and demonstrates to governors and parents that the school takes cybersecurity seriously.
Cyber Essentials vs Cyber Essentials Plus: Which Do Schools Need?
Standard Cyber Essentials is a self-assessment questionnaire verified by an accredited certifying body. Cyber Essentials Plus adds independent technical verification through hands-on testing by the certifying body. For most primary schools and smaller secondary schools: standard Cyber Essentials is the appropriate starting point. For larger secondary schools, MATs, and FE colleges: Cyber Essentials Plus provides stronger assurance and is increasingly required by cyber insurers. For any school handling particularly sensitive data or connected to highly sensitive networks: Cyber Essentials Plus provides a stronger baseline. JISC subsidises Cyber Essentials for FE colleges.
Common Failure Points for Schools
The most common reasons schools fail their Cyber Essentials assessment:
- Admin accounts used for day-to-day work: administrators should have separate standard accounts for daily tasks
- Patching more than 14 days behind: the 14-day patching requirement catches many schools with manual update processes
- Antivirus not automatically updating: manually-updated antivirus fails the malware protection control
- Cloud services not meeting CE requirements: Microsoft 365 or Google Workspace security settings may need adjustment
- BYOD devices in scope: personal devices that can access school data are in scope and must meet requirements
- Default passwords not changed: network devices, routers, and servers with default credentials fail the secure configuration control
Frequently Asked Questions
How much does Cyber Essentials cost for a school?
Standard Cyber Essentials certification typically costs between £300 and £600 for a school, depending on the certifying body. JISC subsidises certification for FE colleges. Some local authorities and MATs negotiate group rates for multiple schools. The NCSC's Schools Cyber Health Check (free) can be used to assess readiness before paying for formal certification — reducing the risk of failing and paying twice.
How long does Cyber Essentials take for a school?
For a well-prepared school, the self-assessment questionnaire can be completed in a few hours to a few days. However, most schools need to address gaps before the formal assessment — deploying MFA, updating patching processes, reconfiguring cloud security settings. A realistic timeline from initial assessment to certification for a school starting from scratch is two to three months.
Does Cyber Essentials cover all the DfE Cyber Security Standards?
Cyber Essentials covers most of the technical controls in the DfE standards — firewalls, secure configuration, access control, malware protection, and patch management. However, the DfE standards go further on governance: documented policies, governor engagement, staff training, incident response planning, and third-party supplier oversight are required in addition to the Cyber Essentials technical baseline. Achieving Cyber Essentials is an important milestone, not the finish line.
Can a MAT get one Cyber Essentials for all its schools?
Yes, where schools share a common network, email, and device management environment managed centrally by the trust. A single MAT-level certification can cover all schools under shared infrastructure. Where individual schools have independent IT systems, each may need separate certification. A certifying body experienced with MATs can advise on scoping before the assessment begins.
Get help preparing for and achieving Cyber Essentials
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.