Categories
Uncategorized

Why Cyber Essentials and Cyber Essentials Plus Matter for the Education Sector – 2026

In today’s digital-first education world, cyber threats are more real than ever. Schools, colleges, and universities depend heavily on technology — from managing admin systems to delivering online learning. But with this reliance comes risk. 

Educational institutions hold vast amounts of sensitive data about students, staff, and finances, making them a prime target for cybercriminals. 

That’s where Cyber Essentials and Cyber Essentials Plus come in — two key assurance certifications that help organisations protect themselves from common cyber threats, meet compliance requirements, and boost cyber confidence. 

 

What Are Cyber Essentials and Cyber Essentials Plus? 

Cyber Essentials is a UK government-backed cybersecurity certification that helps organisations guard against a range of the most common attacks. 

Cyber Essentials Plus builds on this by adding a hands-on technical audit carried out by a qualified assessor, giving you greater assurance that your defences actually work. 

Both certifications focus on five core areas: 

  1. Firewalls & Gateways – Protect your network from unauthorised access. 
  2. Secure Configuration – Set up systems safely to reduce vulnerabilities. 
  3. Access Control – Limit user access to sensitive information. 
  4. Malware Protection – Detect and prevent malicious software. 
  5. Patch Management – Keep software up to date to close security gaps. 

 

What’s Changing? 

Cyber Essentials Requirement Updates 

The Cyber Essentials: Requirements for IT Infrastructure v3.3, published by the NCSC on 3 November 2025, includes a few key updates: 

  • You must now justify any parts of your infrastructure excluded from scope. 
  • Cloud services cannot be excluded — if you use them in your scope, they must be included in your assessment. Also, multi-factor authentication (MFA) remains mandatory for cloud accounts (and recommended everywhere it’s available). 
  • The wording around ‘untrusted connections’ has been simplified in the scope criteria — the criteria now apply to all network and internet connections. 
  • FIDO2 has been added to the definition of passwordless authentication with general greater emphasis and clarity on this authentication method. 
  • Data backups are strongly encouraged as good practice, although not a requirement. 
  • There’s now a link to the Software Security Code of Practice to support secure software development and testing. 

The Question Set 

The current Willow question set will be replaced by Danzell on 27 April 2026. 

The primary changes introduce stronger focus on defining the scope of assessment.  This is helpful to improve transparency and ensure that the scope of an assessment is clearly defined and accurately representedWhere a partial scope is being pursued, organisations will be required to: 

  • Give a detailed scope description, visible on the digital certification platform.   
  • Describe any excluded networks: why and how the segregation is technically achieved including details of the equipment creating the segregation (not made public, software firewalls cannot be boundary of a partial scope) 
  • Include all legal entities within the scope of the certification, providing details such as name, address and company number if applicable. Individual certificates will be available for a small charge for each legal entity within a larger scope, ensuring greater transparency.  

IASME have confirmed changes to the marking criteria for MFA and security update management  

  • where MFA is available on a cloud service (natively or via a third part solution, free or paid for) and it has not been applied to all user and admin accounts, this will be an automatic failure. 
  • Non-compliance with either of the two questions confirming that all high-risk or critical security updates and vulnerability fixes to operating systems including router and firewall firmware or applications are installed within 14 days of release will result in an automatic failure. 

Further details of changes can be found on the IASME blog: Important Update: Changes to Cyber Essentials for April 2026  

 

Cyber Essentials Plus (CE+) Audit Updates 

new test specification will be released in due course for the 2026 rollout. IASME have shared the following on their blog: 

  • Stricter verification of update management compliance: IASME reports instances of organisations ‘applying selective updates’ during the CE+ assessment process.To combat this, in addition to re-testing devices that were missing required updates in the initial testassessors will also test a new random sample to ensure the updates identified have been applied wider than to just the devices in the original sample.  Failure of the second test will result in revocation of Cyber Essentials certificate.   Further detail can be found here: Cyber Essentials Plus – Danzell testing changes – Cyber security
  • Cyber Essentials responses are fixed for CE+Organisations will no longer be allowed to adjust their Cyber Essentials responses after CE+ testing begins. This will ensure integrity of the certification process.  

 

Preparing for CE+ 

CE+ provides hands-on validation that your cybersecurity measures don’t just exist — they actually work. 

You have 90 days from passing your self-assessment to achieve CE+, including a 30-day window to fix any issues found in the audit. 

Example:
If you pass Cyber Essentials on 30/10/2026, you must complete CE+ by 30/01/2027.
If your audit happens on 05/01/2027, you’ll have 25 days left for remediation. 

 

Steps to Get Ready 

  1. Run a Gap Analysis
    Review your current cybersecurity setup and identify areas for improvement. Use your one-hour guidance session to clarify any questions. 
  2. Implement the Cyber Essentials Controls
    Make sure all five core areas — firewalls, configurations, access control, malware protection, and patching — are fully in place. 
  3. Test Your Defences
    Carry out vulnerability scans or penetration tests to identify weak spots early. 

Work with a Certification Body
As an accredited certification body, Jisc can guide you through both the self-assessment and CE+ audit. 

  1. Prepare Your Team
    Make sure everyone involved knows what’s needed for the audit — planning ahead keeps the process smooth. 
  2. Keep It Going
    Cyber Essentials and Plus aren’t one-time achievements. Regular reviews and updates are key to staying protected. 

 

Why It Matters for Education 

For colleges, universities, and schools, Cyber Essentials and Cyber Essentials Plus aren’t just badges of compliance — they’re a cornerstone of a strong cybersecurity strategy. 

They help you: 

  • Protect sensitive student and staff data. 
  • Meet funding and regulatory requirements. 
  • Build a culture of cybersecurity awareness. 
  • Strengthen resilience against growing cyber threats. 

In an era of digital learning and rising cyber risks, investing in Cyber Essentials is investing in the safety and success of your institution. 

Cybersecurity isn’t just about ticking boxes — it’s about protecting your mission to educate, innovate, and inspire. 

Contact your Relationship Manager to find out how Jisc can help support you on your journey.

Leave a Reply

Your email address will not be published. Required fields are marked *