Last year, the Department for Education (DfE) launched their ‘Cyber Security Standards for Schools and Colleges’. These standards are designed to ensure that schools and colleges are equipped with the necessary tools and knowledge to protect their digital infrastructure and data.

We now have a new tool (free to existing subscribers) to allow you to assess your school, college or MAT against these standards and create an action plan to ensure that they are being met.

So, what are the standards?


Why are these standards important?

In our increasingly digital world, cyber security has become a critical aspect of our daily operations. From managing student records to sharing data with other agencies, we rely heavily on technology. However, this dependence also exposes us to potential cyber threats. By adhering to these standards, we can significantly reduce our vulnerability to such threats, ensuring the safety and integrity of our data.

Moreover, these standards are not just about protecting our systems; they’re also about compliance. As you know, data protection is a legal requirement under the General Data Protection Regulation (GDPR). By meeting these cyber security standards, we’re also supporting our data protection compliance, ensuring that we handle personal data responsibly and securely.


How can we follow these standards?

The DfE has outlined several key areas that we need to focus on to meet these standards. Here is a brief (non-exhaustive) overview:

  1. Firewalls and Network Devices:
    We need to ensure that our devices are protected by correctly configured firewalls. This includes changing default administrator passwords, keeping firewall firmware up to date, and regularly reviewing firewall logs.
  2. User Accounts:
    We need to control and limit user accounts and access privileges. This includes changing default device passwords, requiring authentication for users to access sensitive data, and removing unused accounts.
  3. Multi-factor Authentication:
    Where practical, we should enable multi-factor authentication. This adds an extra layer of security by requiring users to present two or more forms of authentication.
  4. Anti-malware and Anti-virus Software:
    We need to ensure that our systems are protected by up-to-date anti-malware and anti-virus software.
  5. Software and Hardware Updates:
    All software and hardware should be kept up to date. Unsupported software or hardware should be replaced or removed.
  6. Data Backups:
    Regular backups of important data should be made, with at least one of these backups being kept off-site.
  7. Contingency Planning:
    We need to have a contingency plan in place for cyber attacks. This plan should be part of our overall business continuity and disaster recovery plan.

By following these standards, we’re not only improving our cyber security but also enhancing our data protection capabilities. For instance, by controlling user accounts and access privileges, we’re ensuring that personal data is only accessed by those authorised to do so. Similarly, by regularly backing up data, we’re ensuring that we can recover personal data in the event of a data loss incident.


Introducing Our New Cyber Security Audit Tool

To complement the guidance provided by the DfE, we have developed a practical tool to help you assess your school’s compliance with the new cyber security standards. This tool is designed to make the process of meeting these standards more manageable and transparent. The tool is already included in the existing audit function of the Data Protection Portal so, next time you login, you should see it there waiting for you!

Just like our Data Protection audit tool, this uses a Red/Amber/Green (RAG) rating system. Each element of the cyber security standards is mapped out in the tool, allowing you to assess whether you fully meet (Green), partially meet (Amber), or do not meet (Red) each standard.

Here’s how it works:

βœ… Assessment:

  • For each element of the standards, you will assess your current level of compliance.

    If you fully meet the standard, you’ll mark it as Green. If you partially meet the standard, it’s Amber. And if you don’t meet the standard, it’s Red.

βœ… Reasoning:

  • For any element that is marked as Red or Amber, you will be able to provide an explanation. This will help identify the specific areas where improvement is needed.

βœ… Action Planning:

  • Next, you will outline the necessary actions to meet the standard. This could involve implementing new procedures, investing in new technology, or providing staff training.

βœ… Responsibility:

  • For each action, you will assign a responsible person or team. This ensures accountability and helps to keep the action plan on track.

βœ… Timeframe:

  • Finally, you will set a timeframe for each action. This helps to ensure that improvements are made in a timely manner and allows for progress tracking.

By using this tool, you can create a clear road-map for improving your cyber security and data protection practices. It provides a structured approach to meeting the new standards and allows you to track your progress over time.

Remember, the goal of this tool is not just to achieve a ‘Green’ rating across the board, but to foster a culture of continuous improvement and awareness. Cyber security is an ongoing process, and this tool is designed to support you on this journey.

We hope you find this tool useful in your efforts to meet the new cyber security standards. As always, we’re here to support you, so please don’t hesitate to reach out if you have any questions or need further assistance.

If you aren’t a current SchoolPro TLC customer, you can access the tool through our Data Protection Portal. More information can be found here:

Subscription options to the portal can be found here:

If you have any other questions about this or any other data protection topic, please contact us atΒ

Stay safe and healthy,

The SchoolPro TLC Team


SchoolPro TLC Ltd (2023)

SchoolPro TLC guidance does not constitute legal advice.

SchoolPro TLC is not responsible for the content of external websites.