Cyber Essentials for Schools, Colleges, and Universities

Cyber Essentials for Schools, Colleges, and Universities

Education is under more cybersecurity pressure than most sectors. Schools have been a repeated ransomware target through 2024 and 2025. The Department for Education now publishes explicit cybersecurity standards for schools and colleges. Jisc recommends Cyber Essentials for universities as part of the broader higher education cybersecurity posture. And research funders, corporate partners, and international collaborators are increasingly asking about CE during institutional due diligence.

This guide covers what Cyber Essentials means in a UK educational context, how the controls map to the infrastructure schools and universities typically run, and the specific issues that catch education applicants during assessment.

Why education needs Cyber Essentials

DfE Digital Standards for Schools. The Department for Education's published digital standards for schools and colleges recommend CE as part of the baseline cybersecurity posture. For academies, multi-academy trusts, and maintained schools applying for capital funding, CE is increasingly being referenced in due diligence.

Jisc and higher education expectations. Jisc (the UK HE digital infrastructure body) recommends CE for member institutions. HEFCE / OfS funding contracts reference "appropriate cybersecurity controls"; CE is the simplest way to meet that expectation.

Research funder due diligence. UKRI, Horizon Europe participants, and individual research funders routinely ask about the cybersecurity posture of institutions bidding for grants, particularly for projects involving personal data (medical research, social sciences, clinical trials).

Ransomware risk. Education was the second-most-targeted UK sector for ransomware in 2024 and 2025. Insurers and internal audit functions are increasingly treating CE as a de-facto minimum for cyber insurance renewal and risk committee sign-off.

What school and university infrastructure looks like

A typical UK school runs:

Universities add research computing clusters, library e-resource platforms (EBSCO, JSTOR, ProQuest), student systems (SITS, Banner, Tribal), research data repositories, and significantly more complex identity infrastructures.

What is in scope, what is not

For a school, the useful Cyber Essentials scope is usually the staff estate, not the pupil estate. Specifically:

In scope (usual):

Out of scope (usually, via sub-set exclusion):

This is the standard pattern assessors expect. The scope declaration says something like: "Staff and admin estate; pupil estate is operated as an isolated sub-set with separate identity, network segmentation, and no access to in-scope staff systems."

Documenting this clearly is more than half the battle. A school that tries to certify "everything including pupil Chromebooks" will struggle; a school that cleanly scopes staff-only will find the assessment manageable.

The MIS and the sensitive data question

Management Information Systems hold data that is both high-sensitivity and high-volume: pupil SEN records, safeguarding notes, free school meals eligibility, parental contact details, attendance records, behaviour logs. Losing or leaking this data has serious regulatory and safeguarding consequences.

Cyber Essentials does not go into MIS-specific controls in detail, but assessors will probe:

SIMS has Capita-managed MFA; Arbor, Bromcom, and ScholarPack all support MFA natively. Any school not enforcing MFA on the MIS is running a real risk irrespective of CE.

Pupil devices and the BYOD question in schools

Pupils with laptops or tablets are the largest single device population in most schools but rarely need to be in Cyber Essentials scope. The workable position:

Pupils have their own identity. Their Google or Microsoft tenant accounts are separate-tenant, domain-separated, or at minimum in their own OU / tenant partition with no rights to staff resources. Pupils cannot log into staff devices. Staff cannot log into pupil devices with corporate credentials.

Network segmentation. Pupils use a separate wifi SSID (sometimes a separate VLAN) that cannot route to staff systems. This is standard DfE-recommended practice in any case.

Safeguarding monitoring applies only to pupil-used devices, operating in the pupil network, not on staff devices.

If those conditions hold, you can declare the pupil estate as out-of-scope and certify just the staff estate. The scope statement in the questionnaire is specific: "The assessed scope is staff and administrative users only. Pupil devices operate on a segmented network with separated identity; pupil accounts and devices are out of the assessed scope."

University research computing

For universities, research computing is a distinctive complication. HPC clusters, research group servers, bespoke experimental kit, and departmental servers often run configurations that do not fit neatly into the Cyber Essentials question set. The acceptable positions:

Position 1: Scope the administrative estate only. Most universities certify the professional services / corporate estate (finance, HR, registry, estates, library admin) and keep research computing in an explicitly-excluded sub-set. This is the most common UK HE pattern.

Position 2: Certify to Cyber Essentials Plus with research computing in scope. Possible for institutions with dedicated research computing security teams. Requires the research environment to meet the same baseline controls as the rest of the estate.

Position 3: Certify each research centre separately. Some universities treat individual research centres as separate scope-units, particularly where they have their own IT teams and funding lines.

Most UK universities choose Position 1. The submission names the research computing environment as explicitly out of scope with reasons, and certifies the corporate / professional services estate.

The five education-specific failures I see

1. MIS without MFA. Still common. Every school MIS supports MFA; not every school enforces it.

2. Shared classroom computer logins with MIS access. The classroom PC is logged in as "classroom1" which has MIS access "for the office to update". Shared accounts fail.

3. Leaver processes lagging the academic cycle. A teacher leaves in July; their accounts are not disabled until September (or later, or never). Needs to be within one working day of their leaving date, regardless of term time.

4. Staff devices not in MDM. Teaching staff laptops are "managed" in the sense that they were imaged a few years ago, but there is no active MDM pushing current policy. The IT team thinks they have baseline coverage; they do not.

5. BYOD for staff. Teaching staff check work email on personal phones; personal phones are not in MDM. Very common. Either bring them into MDM, restrict email access to managed devices, or document the exception.

Practical path to certification for a school

If you are an academy, MAT, or maintained school with 50-500 staff:

1. Decide the scope boundary. Staff and admin only; pupils out via sub-set exclusion.

2. Enforce MFA on every staff account across every cloud service — M365, MIS, finance, HR, safeguarding platform.

3. Enrol staff laptops in MDM. Intune for M365 Education schools, Jamf or similar for Apple-heavy estates.

4. Run a leaver reconciliation. Pull the HR list; compare against active accounts in every in-scope system; disable anything that should not be there.

5. Document scope clearly in the questionnaire: staff in, pupils out via stated segmentation.

6. Submit. CE small (10-49 staff) £399.99 + VAT; medium (50-249) £449.99 + VAT; large (250+) £549.99 + VAT.

For a small primary school with fewer than 10 teachers, CE Micro from £299.99 + VAT is appropriate.

Bottom line

Education is being pushed toward Cyber Essentials because the sector has been disproportionately targeted and because the consequences of a successful attack — safeguarding data leaks, disruption to teaching, financial theft — are severe. The certification is reasonable to achieve if you scope the staff estate correctly and enforce MFA consistently across the MIS and the rest of the cloud stack. The schools that struggle are the ones trying to certify too much (pupils and BYOD personal devices included) or the ones whose staff-side cloud posture has drifted over multiple academic years. Tighten the staff estate, document the pupil exclusion, and the assessment is manageable.

Check your readiness | View pricing | Talk to an assessor