Cyber Essentials Accreditation Guide for Schools: Step-by-Step Certification Process
Cyber Essentials certification is the most important first step a UK school can take on its cybersecurity journey — and the foundation on which the DfE Cyber Security Standards (January 2023) are built. Yet many schools delay or avoid certification because the process seems unclear or technical. This step-by-step guide demystifies Cyber Essentials for schools, explaining exactly what the five controls require, what the assessment process involves, and how to address the most common failure points that cause schools to fail their first assessment attempt.
Cyber Essentials certification — the NCSC's baseline security scheme — is the foundation of the DfE Cyber Security Standards and increasingly required by cyber insurers as a condition of cover.
Step 1: Choose a Certifying Body
Cyber Essentials certification is conducted by NCSC-accredited certifying bodies. Schools should select a certifying body with experience in the education sector. IASME (the scheme administrator for Cyber Essentials) publishes a list of accredited certifying bodies. For FE colleges, JISC offers a subsidised pathway. Cost for standard Cyber Essentials certification typically ranges from £300 to £600 for a school, depending on the certifying body and level of pre-assessment support included.
Step 2: Understand the Five Controls
Prepare your school against each of the five Cyber Essentials controls before beginning the formal assessment:
- **Firewalls**: ensure boundary firewall is in place and configured; default passwords changed; unnecessary ports closed
- **Secure configuration**: default accounts removed or disabled; unnecessary software uninstalled; password policy enforced
- **User access control**: users have only the access they need; admin accounts used only for admin tasks; guest accounts disabled
- **Malware protection**: up-to-date antivirus on all in-scope devices; executable downloads from unknown sources blocked
- **Patch management**: operating systems and software patched within 14 days of a security update being released
Step 3: Define Your Scope
The Cyber Essentials scope is all devices — laptops, desktops, servers, tablets, mobile phones — that can access the organisation's data or services via the internet. For a school, this typically includes: all staff laptops and desktops; the school server(s); managed tablets and mobile devices; and any cloud services used by staff. Student devices may be in scope if they can access staff systems. Cloud services (Microsoft 365, Google Workspace) are in scope — the questionnaire includes specific questions about cloud security configuration.
Step 4: Complete and Submit the Questionnaire
The Cyber Essentials self-assessment questionnaire is completed online through the certifying body's portal. Questions cover each of the five control areas and require specific answers about your configuration — not just a general "yes we have firewalls" but specific details about configuration and management. Common failure points in the questionnaire for schools include: admin accounts being used for day-to-day work; patching being more than 14 days behind; antivirus not configured for automatic updates; or cloud services not meeting the required security settings. Review the IASME Cyber Essentials requirements document before completing the questionnaire.
Step 5: Maintain and Renew
Cyber Essentials certification lasts one year and must be renewed annually. Schools should treat renewal as an opportunity to verify that controls have been maintained and to address any changes in the technology environment — new cloud services, new devices, network changes — that may affect the compliance posture. Building Cyber Essentials renewal into the annual governance calendar — with the governing body receiving a confirmation of certification each year — demonstrates the ongoing governor engagement the DfE standards expect.
Frequently Asked Questions
What happens if our school fails Cyber Essentials?
Failing Cyber Essentials is not unusual — it is often the result of the assessment process identifying gaps that the school was not aware of. The certifying body will provide feedback on which controls were not met. Schools should treat this as a prioritised action list and address the gaps before resubmitting. Most schools that fail the initial assessment achieve certification on a second attempt after addressing the identified issues.
Is Cyber Essentials Plus better than Cyber Essentials for schools?
Cyber Essentials Plus provides independent technical verification of the controls through hands-on testing, rather than self-assessment. It provides stronger assurance and is increasingly required by cyber insurers for higher-value policies. For most primary and smaller secondary schools, standard Cyber Essentials is the appropriate starting point. Cyber Essentials Plus is recommended for larger secondary schools, MATs with complex infrastructure, and FE colleges processing significant amounts of sensitive data.
Can a multi-academy trust get one Cyber Essentials certificate for all its schools?
It depends on the infrastructure. If all schools in the MAT share a common network, email system, and device management environment managed centrally, a single MAT-level certification may cover all schools. If schools have independent IT systems, each would need separate certification — though coordinating a single certifying body and consistent methodology across the MAT reduces cost and complexity. Certifying bodies can advise on scoping for MATs before the assessment begins.
Get help achieving Cyber Essentials for your school
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.