DFE makes Cyber Essentials mandatory for Colleges and SPIS

The recent DfE announcement that the 2024-2025 funding year will see it remove annual IT healthchecks for colleges and Special Post-16 Institutions (SPIs) and replace them with mandatory Cyber Essentials certification is causing a stir in education circles.

Simon Hopkin, our Head of Cyber Security here at ITPS, takes a look at the changes

What does this announcement mean?

Annual IT healthchecks have long been seen as an onorous and expensive task. The switch to Cyber Essentials is set to make it easier for education organisations to streamline and strengthen their cyber security defences and demonstrate their practical commitment to cyber security.

The threat landscape has never been more serious, and the latest report from the National Cyber Security Centre (NCSC) points to prevention best practices, rather than detection, in order to minimise potential exposure to an attack. Achieving Cyber Essentials is the first step in securing your organisation’s online safety.

FE colleges have long been expected to meet the requirements for Cyber Essentials and it would be logical to assume that schools will eventually be required to follow the same path, as the DfE makes Cyber Essentials mandatory across the education sector.

How do I get started?

IASME, the NCSC cyber essentials delivery partner, has a free Cyber Essentials Readiness tool here, to get you started on the right path: Education - Cyber Essentials Knowledge Hub - Cyber Essentials Knowledge Hub (iasme.co.uk)

How does the Cyber Essentials process work?

Cyber Essentials digs deep into organisations to help them guard against the most common cyber threats and close supply chain vulnerabilities, which are a prime target for hackers. It’s a natural progression from the standard annual IT healthchecks with which the education sector is familiar.

The CE standard looks at evidence across five key technical security controls:

•          Firewalls to secure internet connections
•          Security settings on devices and software
•          Access control for data and services
•          Defence against malware and viruses
•          Device and software patching

Our security experts work alongside customers to go through the Cyber Essentials readiness toolkit, assessing the organisation against the five basic security controls and helping to identify potential gaps. A crucial part of what we do is to provide guidance on interpreting the questions in some areas, which even the lead Cyber Essentials delivery body IASME says can be difficult to understand, particularly for organisations that have a complex operating structure.   

Once the readiness toolkit is completed, we map it to the gap analysis to come up with a tailored action plan to help the customer through certification.  

Choosing the right Cyber Essentials partner

It’s vital to work with a partner who has a strong track record and the right cyber security credentials. Cyber Essentials services have formed part of our portfolio here at ITPS since the government launched the programme in 2014 as part of the National Cyber Strategy.

We work with customers to guide them through the Cyber Essentials Readiness Toolkit, helping them create an action plan to make sure they meet Cyber Essentials requirements. We then help then complete each stage of the self-assessment questionnaire, which is independently verified by a qualified assessor at a registered certification body.

In 2023 we were awarded certification status, marking us out as one of only a handful of North East organisations approved as an independent expert assessor of organisations looking to achieve Cyber Essentials.

We support organisations ranging from education and charity through to SMEs and large blue chip companies, working with them to help them become more secure and protected from attack as they securely embrace digital technologies.

What are the timescales?

As the DfE is looking to implement the change in the 2024 to 2025 funding year, we are urging colleges and SPIs to start the process as soon as autumn term begins.

Get in touch now

If you're a college or an SPI and you would like a chat about how we can help you achieve Cyber Essentials, get in touch with our expert cyber security team here at ITPS.