Month-by-month platform changes

More details of each update are listed in our user guides and community.

June 2025

United Kingdom, Australia and New Zealand

Cyber score updates

An additional 19 new statements have been added to cyber score. These are the remaining questions from the Secure Schools self-evaluation audit.

Our organisation follows board approved documented procedures when making significant changes to our computers, networks and software applications.

Our organisation has a formalised process for distributing relevant cybersecurity and information security policies to staff.

Our organisation has a formalised process for distributing relevant cybersecurity and information security policies to students.

Our organisation has a formalised process for distributing relevant cybersecurity and information security policies to contractors.

Our organisation has a formalised process for distributing relevant cybersecurity and information security policies to the school board.

Our organisation identifies and protectively marks all the sensitive information it holds.

Our organisation securely deletes or disposes of all information assets when they are no longer needed.

Our organisation's data flow documentation includes the source of the data it collects.

Our organisation incorporates relevant safeguarding directives into its recruitment processes.

Our organisation always performs criminal record and background checks when recruiting staff.

Our organisation's employment contracts include cybersecurity responsibilities and adherence to information security policies.

Our organisation protects external access to internal applications and services by implementing brute force mechanisms such as account and IP lockout. Specifically, access is restricted after ten or fewer failed login attempts, or by limiting login attempts to a maximum of ten within a five-minute window.

Our organisation uses encryption methods, such as BitLocker for Windows, to protect data on its devices.

Our organisation has configured anti-malware software to alert IT staff of malware risk or when the anti-malware software fails to update.

Our organisation encrypts in-progress backup data when in transit.

Our organisation stores backup copies of data with at least the same level of security as the originals.

Our organisation ensures that the time set on all devices is accurate and from the same source to ensure logs and audit trails are synchronised.

Our organisation ensures that all new or updated computers, devices, and software meet required specifications and are suitable for their intended use.

Our organisation reviews and approves all significant changes to IT systems, software applications or networks before changes are made.

May 2025

United Kingdom

Cyber score updates

• Two new achievement tracks have been added to cyber score, these are Cyber Essentials and the National Cyber Security Centre's questions for governors.
• To support these new tracks, six existing statements have been amended and one information panel.
• Seven additional statements to meet the requirements of the DfE cyber security standards.

Amended statements

Original statement	Revised statement
Our organisation's IT team uses multi-factor authentication on all of their accounts where it is available.	Our organisation's administrator accounts have multi-factor authentication activated where it is available.
Our organisation configures anti-malware software to automatically scan web pages when they are accessed.	Our organisation installs anti-malware software to automatically scan web pages when they are accessed.
Our organisation configures anti-malware software to automatically scan files when they are accessed.	Our organisation installs anti-malware software to automatically scan files when they are accessed.
Our organisation configures locally installed anti-malware software or a gateway anti-malware service to scan incoming and outgoing emails for malware.	Our organisation configures locally installed anti-malware software or a gateway anti-malware service to scan incoming and outgoing emails for malware.
Our organisation ensures that all software applications installed on the organisation's devices are in current support by the vendor and eligible to receive fixes for security problems.	Our organisation ensures that all software applications installed on the organisation's devices, such as computers, laptops, servers, tablets and smartphones are in current support by the vendor and eligible to receive fixes for security problems.
Our organisation reviews each internal application or service that is accessible externally through our network boundary at least termly.	Our organisation reviews each internal application or service that is accessible externally through our network boundary firewall and removes them when they are no longer required. This happens at least termly.

Amended information panel

Statement	Original information panel	Revised information panel
Our organisation reviews each internal application or service that is accessible externally through our network boundary at least termly.	Where external access to applications or services is required by people working from home or remotely, this should only be granted following thorough justification, assessment and mitigation of risk through a business case. Access rules should be reviewed at least termly, to ensure it is still required and acceptable.	Not removing applications or services when they are no longer in use runs the risk of them being forgotten about. When this happens, they might stop being updated exposing vulnerabilities to the network.

Additional statements to meet the requirements of the DfE cyber security standards

Our organisation keeps an up-to-date record of network diagrams, configuration settings, and IP addressing information.

Our organisation ensures our boundary firewall firmware is supported by the vendor and kept up-to-date.

Our organisation maintains only essential firewall rules, ensuring each rule is documented and has undergone a comprehensive risk assessment.

Our organisation manages browser settings so that security requirements are enforced. This prevents users from installing unauthorised extensions or bypassing security features.

Our organisation's business or finance function records license expiry dates in the contracts register and uses these to ensure timely renewals and to budget for any renewal costs.

Our organisation captures software and operating system end-of-support dates in the asset register.

Our organisation ensures that any devices running software that is out of support are segregated. This could involve placing them on a separate network and blocking internet access. We only continue to use such software if there is a documented and approved business need.

Australia and New Zealand

Soft launch of cyber score

• Cyber score has been tailored for Australian and New Zealand schools and is now available for schools to preview via a demonstration from the Secure Schools team.
• For schools in Australia, we have added statements to meet the requirements of the Essential 8 mitigation strategies at Maturity Level One.

Global

• We have improved the cyber score onboarding process. This includes adding an explanation about what cyber score is and improving the onscreen text that explains its elements.

April 2025