GovWire

These standards are for all schools and colleges to help build their cyber resilience. They address the core principles of cyber governance, processes and strategy.

Cyber Essentials is a government-backed certification that happens on an annual basis. It provides a level of assurance to organisations across all sectors not just the education sector on the technical elements of their cyber security.

Whilst the Cyber Essentials certification is not a requirement, some schools and colleges may wish to complete it as part of their cyber security activities. These standards can help you work towards certification. However, it is for the senior leadership team (SLT) to decide whether Cyber Essentials is right for your school or college now, and in the future.

Why this standard is important

Those in schools and colleges need to know the risks associated with their hardware, software and data to properly mitigate and defend against any potential cyber incidents or attacks.

Assessing cyber risks means you can:

• understand how to keep students, staff and the wider school or college community safe
• understand how prepared the school or college is in response to a cyber incident or attack
• highlight weaknesses and put processes in place to help reduce risk
• secure systems to make sure they are more resilient to cyber incidents and attacks
• prepare a cyber response plan to be implemented quickly in the event of a serious incident to minimise any impact to the school or college

Not identifying and assessing risk, or preparing a response, could lead to:

• safeguarding issues if students safeguarding information is unavailable or if confidential data is accessed and misused
• lasting disruption to the operation of the school or college, including closure
• significant impact on student outcomes
• other schools or colleges on your broader organisational network such as those within a multi-academy trust being impacted by the same cyber incident or attack
• a significant data breach
• reputational damage
• significant unexpected spend and lost staff time to recover systems and data

Who needs to be involved

The senior leadership team (SLT) digital lead will be accountable for, and prioritise and coordinate activity relating to this standard. IT support (who may be an internal support person or external provider) will action this standard.

You can find out more about the role of the SLT digital lead in our standards on digital leadership and governance.

The SLT digital lead will work with:

• IT support to review the outcomes of discussions with key staff and action them within the risk assessment
• any IT leads in your broader organisation (if applicable) to find out if anything needs to be actioned or approved by them
• the data protection officer (DPO) who will give advice on any risk around data and processes to make sure personal and sensitive personal data in schools and colleges is secure
• facilities or estate management to identify any physical security risks that could create problems for core systems and data, such as a door that will not lock on a server room
• the headteacher or principal who will need to make decisions on actions suggested by the SLT digital lead and IT support
• the school, college or trust business professionals or the finance team who will help budget and plan for any changes needed, update the risk register, and buy in any additional services needed
• the governing body or board of trustees for oversight and strategic risk management there are some questions governors and trustees can ask that will help them to understand the school or colleges IT estate

If you do not have the technical expertise in-house, you will need to get advice from an external support pr

View the original news story