DfE Cyber Security Standards Checklist for Schools: Evidence Your Compliance

Domain 1: Governance

The DfE requires schools to demonstrate that cybersecurity is governed at board level, with documented policies and regular risk reporting.

• [ ] Information security policy — documented, approved by the governing body, reviewed in the last 12 months. Evidence: signed policy document with governor approval minutes.
• [ ] Risk register entry — cybersecurity included in the school's risk register with a current risk rating. Evidence: risk register with cybersecurity entry, governor meeting minutes discussing risk.
• [ ] Governor briefing — governing body receives regular cybersecurity updates. Evidence: governor meeting agenda and minutes showing cybersecurity discussion.
• [ ] Designated cybersecurity lead — named person responsible for cybersecurity (IT lead, business manager, or headteacher). Evidence: named in policy and organisational chart.

Domain 2: Protection

Technical controls demonstrating that the school's systems, devices, and accounts are protected against common attacks.

• [ ] MFA deployed on all staff accounts — email, MIS, remote access, financial systems. Evidence: Microsoft 365 security defaults enabled or conditional access policy configuration screenshot.
• [ ] Patching within 14 days — documented patching process for all devices. Evidence: patch management log or IT provider patching report.
• [ ] Boundary firewall — internet-facing firewall configured with unnecessary ports closed. Evidence: firewall configuration review from IT provider.
• [ ] Access control — staff have only the access they need; admin accounts separate from daily-use accounts. Evidence: access control policy and user account review.
• [ ] Malware protection — up-to-date antivirus on all in-scope devices. Evidence: antivirus management console report.

Domain 3: Response

Evidence that the school has an incident response capability and that staff can recognise and report incidents.

• [ ] Incident response plan — documented, tested in the last 12 months, accessible offline. Evidence: the plan document; tabletop exercise record or test date.
• [ ] Staff security training — all staff have completed security awareness training in the last 12 months. Evidence: training completion records.
• [ ] ICO breach procedure — documented procedure for 72-hour ICO notification. Evidence: GDPR breach procedure document.
• [ ] Incident reporting channel — staff know who to report suspected incidents to. Evidence: staff briefing records; incident reporting procedure in acceptable use policy.

Domain 4: Recovery

Evidence of backup capability that could allow the school to recover from a ransomware attack without paying the ransom.

• [ ] Backup policy — documented backup schedule covering MIS, financial systems, and critical data. Evidence: backup policy document.
• [ ] Offsite/offline backup — at least one backup copy not connected to the school network. Evidence: backup solution configuration; cloud backup provider details.
• [ ] Backup restore test — successful restore test in the last 6 months. Evidence: test record with date, systems tested, and outcome.
• [ ] Business continuity plan — documented plan for operating during system outages. Evidence: BCP document.

Domain 5: Ecosystem (Third-Party Suppliers)

Evidence that the school manages the security risk from EdTech vendors and other third-party suppliers.

• [ ] Vendor register — list of all suppliers processing personal data on behalf of the school. Evidence: ROPA or vendor register.
• [ ] DPAs in place — Data Processing Agreements signed with all vendors processing pupil personal data. Evidence: signed DPA documents.
• [ ] Vendor security assessment — evidence of security due diligence for significant vendors. Evidence: vendor security questionnaires or certifications.
• [ ] Cyber Essentials certification — achieved or plan in place to achieve. Evidence: Cyber Essentials certificate or project plan.

Frequently Asked Questions