Cyber Essentials and Trust Assurance: Practical Controls

Cyber Essentials sits in an interesting place for academy trusts. It is widely recognised, relatively straightforward to explain to trustees, and it focuses attention on the controls that stop many common attacks. That is a strong starting point. The risk is that it becomes a badge rather than an assurance story. Trustees and audit and risk committees need to be able to answer a more operational question: are our cyber controls working consistently across every school, every device, and every key system that keeps the trust running?

The DfE’s digital and technology standards reinforce that cyber security is a leadership responsibility, not something that can be delegated to an IT team and forgotten. The standards are maintained and updated, with amendments as recently as February 2026. (GOV.UK) Cyber Essentials can help you set a baseline, but trust assurance depends on how well controls are embedded day to day, and whether you can evidence that in governance reporting.

This guide explains how to use Cyber Essentials as the foundation for a practical trust assurance model. It covers what to test, what evidence to collect, how to report in a governance friendly way, and a realistic 90 day improvement plan.

What Cyber Essentials gives you, and what it does not

Cyber Essentials is a government backed scheme that helps organisations protect themselves against common online threats. (GOV.UK) The National Cyber Security Centre describes it as a certification scheme aligned to five technical controls designed to prevent the most common internet based attacks. (NCSC)

Those five control themes are set out clearly in the NCSC requirements document:

1. Firewalls
2. Secure configuration
3. Security update management
4. User access control
5. Malware protection (NCSC)

A key concept in Cyber Essentials is scope. The scheme expects you to define the scope boundary and agree it with the certification body before assessment begins. (NCSC) That matters for academy trusts because the temptation is to scope around the hardest parts of the estate, such as legacy devices, a school with a different network setup, or a third party managed service that is awkward to evidence. A narrow scope can still be legitimate, but it reduces the comfort a board can take when they are thinking about trust wide risk.

So what does Cyber Essentials not give you automatically?

It does not prove that controls operate consistently across every school. It does not prove that staff leavers are removed promptly from every system. It does not prove that backups can be restored quickly when it matters most. It does not prove that incident response works under pressure. Those are the areas where internal scrutiny and governance reporting add real value.

If you are looking for a simple way to explain this to trustees, I find it helps to frame Cyber Essentials as a baseline for what controls should exist. Trust assurance is then about how reliably those controls operate across the trust, including the weak points you already suspect are there.

The DfE expectations trustees should have in mind

The DfE’s “Meeting digital and technology standards in schools and colleges” guidance sets out a suite of standards covering cyber security, digital leadership and governance, filtering and monitoring, IT support, and more. (GOV.UK) It is actively maintained, with recorded updates through 2024 and 2025, and amendments in early 2026. (GOV.UK)

Two messages from that guidance are especially important for academy trust boards:

• Cyber security is presented as a core standard and a culture issue, with an emphasis on awareness and reporting so incidents are identified quickly and contained. (GOV.UK)
• The standards were updated to make clear that cyber security tasks sit with both senior leadership and IT support, and that it is a shared responsibility across roles. (GOV.UK)

From a governance angle, this is helpful because it supports a balanced assurance approach. Trustees should not be reading a technical report and trying to judge whether the firewall rules look sensible. They should be asking whether leadership ownership, processes, and evidence are strong enough to manage risk.

One small but practical detail illustrates the point about currency. The DfE updates log shows an amendment in February 2026 updating references from “Action Fraud” to the organisation’s new name “Report Fraud” in the cyber security core standard. (GOV.UK) It is not the biggest control in the world, but it shows why cyber guidance needs active maintenance and why incident and reporting pathways should be reviewed, not left on a shelf.

Why Cyber Essentials belongs in your Academy Trust Handbook assurance story

The Academy Trust Handbook requires trusts to have sound internal control, risk management and assurance processes, following a tiered approach that includes internal scrutiny overseen by an audit and risk committee. (GOV.UK) Internal scrutiny must provide independent assurance over financial and non financial controls, and it must be planned on a risk basis with reference to the trust’s risk register. (GOV.UK)

Cyber is a non financial control area with direct operational consequences. A ransomware incident can halt teaching systems, disrupt payroll processing, break catering and payments, and trigger intense safeguarding and data protection pressure. Boards do not need to be cyber specialists to take cyber risk seriously, but they do need an assurance mechanism that gives them a realistic view of exposure and progress.

My view is that Cyber Essentials fits neatly into this model as a control baseline. The internal scrutiny programme then tests whether the baseline is implemented properly, and whether the trust has the governance and operational discipline to keep it in place across a changing environment.

Building a trust assurance model around Cyber Essentials

A practical assurance model has three layers:

1. Define scope in a way trustees can recognise

For academy trusts, scope should be described in plain language. Which schools are in scope? Which networks? Which cloud platforms? Which identity systems? Which devices? Which third party managed services?

Cyber Essentials itself expects the organisation to define the scope boundary and to be clear about what is in scope. (NCSC) The trust assurance view should go a step further by explaining where the trust is most exposed if controls fail, such as identity systems, safeguarding related data, finance systems, and communications platforms.

2. Translate the five Cyber Essentials themes into trust wide tests

The five technical control themes are a good organising structure, but a trust should test them in a way that reflects MAT realities. Variation between schools is where risks hide. A trust might have excellent patching centrally, but one academy could be running an outdated server because it supports a legacy timetable system. That single exception can drive a large incident.

3. Add two “governance” domains that Cyber Essentials does not cover fully

For trustees, two domains tend to matter as much as the technical baseline:

• Incident management and escalation
• Backup, recovery and service continuity

The DfE standards highlight the importance of awareness, reporting and a culture that supports early identification of risk. (GOV.UK) Trustees should therefore expect evidence of training, reporting routes, rehearsals, and learning loops, not just a technical configuration pack.

A practical control testing framework for multi academy trusts

Below is a framework that works well for internal scrutiny and audit style reviews. It is designed to be repeatable term to term, and comparable across schools.

Identity and access control

What you are trying to prove is simple: the right people have the right access, and nobody else does.

Evidence worth testing includes joiners, movers and leavers processes, privileged accounts, multi factor authentication coverage, and how quickly access is removed when someone leaves. User access control is explicitly one of the Cyber Essentials technical control themes. (NCSC)

For MATs, sampling should be trust wide, not based on a single central team report. Pick a set of leavers from different academies, including casual staff and contractors, and test whether accounts were disabled across all relevant systems. If you only test the directory account and ignore third party platforms, you miss the risk.

Patch and update management

Cyber Essentials calls this security update management, and it is one of the core control themes. (NCSC)

In assurance terms, patching is where you can usually find the biggest gap between policy and practice. Your controls might say “patch within 14 days”, but the reality could be that schools defer restarts for weeks. Or the estate includes devices that cannot be patched because they are unsupported.

Trustees do not need a patch report with 10,000 lines. They need confidence that:

• coverage is measured
• exceptions are owned and time bound
• unsupported software is identified and planned out

If you cannot explain how you deal with exceptions, you do not really have a patching control, you have a patching intention.

Firewalls and boundary protection

Firewalls are a Cyber Essentials theme. (NCSC) In a trust environment, you will often have a mix of central and local arrangements, plus third party services. Testing should focus on two things: whether boundaries are controlled and whether remote access is managed safely.

A useful approach is to test a small number of schools in detail each term on a rolling basis, rather than skimming all schools superficially once a year.

Secure configuration and endpoint standards

Secure configuration is another Cyber Essentials theme. (NCSC) This is where trusts can make big assurance gains through standardisation. A trust with a strong device build, managed updates, controlled admin rights, and consistent endpoint security will usually withstand common attacks far better than a trust where each school has its own local “fix it when it breaks” approach.

If your trust uses mobile device management or central device policies, test whether they are enforced across all device types, including staff laptops, classroom devices, and any shared admin machines.

Malware protection and monitoring

Malware protection is part of the Cyber Essentials control set. (NCSC) For schools, this interacts with filtering and monitoring, safeguarding expectations, and user behaviour. Your assurance testing should include whether endpoint protection is actually active and up to date, and how alerts are handled.

This is also where governance reporting matters. If malware alerts are rising, do you know why? Is it a training issue, a policy issue, or a control gap? The DfE cyber security core standard places emphasis on awareness and rapid reporting to stop incidents spreading. (GOV.UK) Boards should expect to see that principle reflected in practice.

Evidence standards that make assurance credible

Evidence quality is the difference between “we believe we are secure” and “we can show we are managing risk properly”.

A simple evidence standard for cyber assurance can include:

• access review records, including privileged accounts
• leaver deprovisioning evidence across identity and key platforms
• patch compliance summaries with exception logs
• endpoint protection coverage reports and remediation actions
• backup test evidence, including successful restore tests
• incident playbooks, plus evidence of rehearsals or real incident handling
• governance reporting extracts showing discussion, actions, and escalation

Cyber Essentials itself notes that applicants may be required to supply evidence before certification is awarded. (NCSC) Trust assurance should build on that mindset and ensure evidence is indexed and retrievable. If evidence is scattered across inboxes and shared drives, follow up becomes slow and confidence drops.

My recommendation is to keep a simple evidence index that links each finding to its supporting artefacts and closure proof. This is not about creating bureaucracy. It is about making it possible to re test quickly and to give trustees a consistent narrative.

Governance reporting that trustees can actually use

Cyber reporting fails when it is either too technical or too vague. A governance ready pack should be short, consistent, and focused on risk and decisions.

A practical committee view often includes:

• a one page summary of current cyber risk position by domain
• the top overdue high risk actions and what is blocking them
• trends that matter, such as patch compliance, MFA coverage, and backup test outcomes
• a short incident summary, including near misses and learning points
• planned assurance work for the next term

This aligns well with the audit and risk committee’s role in overseeing internal scrutiny and reporting to the board on the adequacy of the control framework. (GOV.UK)

If you want to keep it simple, set three or four key indicators and report them consistently. Trustees build confidence through consistency. They do not need a new dashboard each meeting.

Incident and recovery readiness testing

Most trusts have an incident response document. Fewer have rehearsed it in a way that tests real decision making.

Readiness testing should look at:

• whether roles and escalation contacts are current
• whether decision making routes are clear for severe incidents
• how quickly critical systems can be recovered
• how communications with staff, parents, and governance would be handled
• whether lessons learned are turned into control improvements

The DfE updates log is a useful reminder that reporting routes and terminology change over time, including references to “Report Fraud” in the cyber security guidance. (GOV.UK) That is why rehearsal is valuable. It surfaces what is out of date before you need it.

In assurance terms, the most persuasive evidence in this area is a successful restore test. A screenshot of a backup job is not the same as proof that you can recover the MIS database or the finance platform within an acceptable timeframe.

A practical 90 day cyber improvement plan for trusts

When a trust identifies cyber gaps, the instinct is often to buy a new tool. Sometimes that is necessary, but many of the quickest wins are process and consistency fixes.

A 90 day plan that works well:

1. Days 1 to 15: Baseline and scope

   • confirm trust wide scope and identify the schools and systems that carry the highest risk
   • baseline the five Cyber Essentials themes across a sample of schools
   • agree what “good” looks like in your trust for patching, access, and backups (NCSC)

2. Days 16 to 30: Urgent fixes

   • remove or time bound the biggest exceptions, such as unsupported software or unmanaged privileged accounts
   • tighten leaver processes and confirm MFA expectations across key platforms

3. Days 31 to 45: Standardise evidence and reporting

   • introduce a consistent evidence index
   • agree a simple committee reporting format that focuses on risk and overdue actions

4. Days 46 to 60: Targeted follow up testing

   • re test the highest risk issues and confirm closure with evidence

5. Days 61 to 75: Incident and recovery rehearsal

   • run a table top exercise and a restore test for at least one critical system
   • capture actions and owners, then schedule follow up

6. Days 76 to 90: Governance sign off and next cycle planning

   • report outcomes to the audit and risk committee with a clear residual risk view
   • integrate the next set of cyber assurance work into the internal scrutiny plan (GOV.UK)

The aim is a steady move towards consistency. You should be able to show progress in control operation, not just progress in documentation.

Common mistakes that reduce trust assurance

A few patterns come up repeatedly.

The first is treating Cyber Essentials certification as the end point. It is a good baseline, but it does not automatically tell you whether controls operate consistently across every academy.

The second is allowing school level variation to remain invisible. Variation in patching, device configuration, or admin rights can undermine the trust’s overall position.

The third is weak closure evidence. If a high risk cyber issue is marked “complete” without a re test or solid evidence, the board is being asked to rely on optimism.

The fourth is treating cyber as an IT report rather than a governance risk report. The DfE standards emphasise shared responsibility between leadership and IT support, and that should be reflected in ownership and reporting. (GOV.UK)

How internalscrutiny.co.uk can help

internalscrutiny.co.uk helps trusts build cyber assurance that stands up in governance settings. We work with trusts to turn Cyber Essentials control themes into practical, evidence based testing, with reporting that supports audit and risk committee oversight and internal scrutiny follow up. That includes designing a repeatable test framework, reviewing evidence quality, and supporting trusts to prioritise improvements that reduce real operational risk.

You can align this with our cyber and data compliance support, add focused review coverage through bespoke audits, or discuss priorities via Contact.

Sources

Checked on 24 February 2026.

1. GOV.UK, Academy trust handbook 2025: effective from 1 September 2025 (updated 22 October 2025). (GOV.UK)
2. GOV.UK, Internal scrutiny in academy trusts (published 14 February 2024). (GOV.UK)
3. GOV.UK, Meeting digital and technology standards in schools and colleges and updates log (updated 12 February 2026). (GOV.UK)
4. GOV.UK, Cyber Essentials scheme: overview (last updated 7 May 2025). (GOV.UK)
5. NCSC, Cyber Essentials overview and Cyber Essentials Requirements for IT Infrastructure v3.1 (January 2023). (NCSC)