Why Cyber Essentials and Cyber Essentials Plus Matter for the Education Sector 

Author: Joy Findlay, Cyber Essentials assessor

Why Cyber Essentials and Cyber Essentials Plus Matter for the Education Sector 

In today’s digital-first education world, cyber threats are more real than ever. Schools, colleges, and universities depend heavily on technology, from managing admin systems to delivering online learning. But with this reliance comes risk. 

Educational institutions hold vast amounts of sensitive data about students, staff, and finances, making them a prime target for cyber criminals. 

That’s where Cyber Essentials and Cyber Essentials Plus come in, two key frameworks that help organisations protect themselves from common cyber threats, meet compliance requirements, and boost cyber confidence. 

 

What Are Cyber Essentials and Cyber Essentials Plus? 

Cyber Essentials is a UK government-backed cybersecurity certification that helps organisations guard against a range of the most common attacks. 

Cyber Essentials Plus builds on this by adding a hands-on technical audit carried out by a qualified assessor, giving you greater assurance that your defences actually work. 

Both certifications focus on five core areas: 

  1. Firewalls & Gateways – Protect your network from unauthorised access. 
  2. Secure Configuration – Set up systems safely to reduce vulnerabilities. 
  3. Access Control – Limit user access to sensitive information. 
  4. Malware Protection – Detect and prevent malicious software. 
  5. Patch Management – Keep software up to date to close security gaps. 

 

What’s Changing? 

Cyber Essentials Requirement Updates 

The Cyber Essentials: Requirements for IT Infrastructure v3.3, published by the NCSC on 3 November 2025, includes a few key updates: 

  • You must now justify any parts of your infrastructure excluded from scope. 
  • Cloud services cannot be excluded — if you use them in your scope, they must be included in your assessment. Also, multi-factor authentication (MFA) remains mandatory for cloud accounts (and recommended everywhere it’s available). 
  • The wording around ‘untrusted connections’ has been simplified in the scope criteria. The criteria now applies to all network and internet connections. 
  • FIDO2 has been added to the definition of passwordless authentication with general greater emphasis and clarity on this authentication method. 
  • Data backups are strongly encouraged as good practice, although not a requirement. 
  • There’s now a link to the Software Security Code of Practice to support secure software development and testing. 

The Question Set 

The current Willow question set will be replaced by Danzell on 27 April 2026.
 

IASME have confirmed a change to the marking criteria for MFA:  where MFA is available on a cloud service and it has not been applied to all user and admin accounts, this will be an automatic failure. 

Upcoming Changes to the Cyber Essentials scheme: April 2026 Update – IASME – Home  

We’ll share more updates as soon as it’s published in February 2026. 

 

Cyber Essentials Plus (CE+) Audit Updates 

new test specification will be released in February for the 2026 rollout. 

Preparing for CE+ 

CE+ provides hands-on validation that your cyber security measures don’t just exist, they actually work. 

You have 90 days from passing your self-assessment to achieve CE+, including a 30-day window to fix any issues found in the audit. 

Example:
If you pass Cyber Essentials on 30/10/2026, you must complete CE+ by 30/01/2027.
If your audit happens on 05/01/2027, you’ll have 25 days left for remediation. 

 

Steps to Get Ready 

  1. Run a Gap Analysis
    Review your current cybersecurity setup and identify areas for improvement. Use your one-hour guidance session to clarify any questions. 
  2. Implement the Cyber Essentials Controls
    Make sure all five core areas, firewalls, configurations, access control, malware protection, and patching are fully in place. 
  3. Test Your Defences
    Carry out vulnerability scans or penetration tests to identify weak spots early. 
  4. Work with a Certification Body
    As an accredited certification body, Jisc can guide you through both the self-assessment and CE+ audit. 
  5. Prepare Your Team
    Make sure everyone involved knows what’s needed for the audit, planning ahead keeps the process smooth. 
  6. Keep It Going
    Cyber Essentials and Plus aren’t one-time achievements. Regular reviews and updates are key to staying protected. 

 

Why It Matters for Education 

For colleges, universities, and schools, Cyber Essentials and Cyber Essentials Plus aren’t just badges of compliance, they’re a cornerstone of a strong cybersecurity strategy. 

They help you: 

  • Protect sensitive student and staff data. 
  • Meet funding and regulatory requirements. 
  • Build a culture of cybersecurity awareness. 
  • Strengthen resilience against growing cyber threats. 

In an era of digital learning and rising cyber risks, investing in Cyber Essentials is investing in the safety and success of your institution. 

Cyber security isn’t just about ticking boxes, it’s about protecting your mission to educate, innovate, and inspire. 

 

Contact your Relationship Manager to find out how Jisc can help support you on your journey.

Leave a Reply

Your email address will not be published. Required fields are marked *