Month-by-month platform changes
The Secure Schools change log provides details of changes and improvements to our platform.
More details of each update are listed in our user guides and community.
May 2025
United Kingdom
Cyber score updates
- Two new achievement tracks have been added to cyber score, these are Cyber Essentials and the National Cyber Security Centre's questions for governors.
- To support these new tracks, six existing statements have been amended and one information panel.
- Seven additional statements to meet the requirements of the DfE cyber security standards.
Amended statements
Original statement | Revised statement |
Our organisation's IT team uses multi-factor authentication on all of their accounts where it is available. | Our organisation's administrator accounts have multi-factor authentication activated where it is available. |
Our organisation configures anti-malware software to automatically scan web pages when they are accessed. | Our organisation installs anti-malware software to automatically scan web pages when they are accessed. |
Our organisation configures anti-malware software to automatically scan files when they are accessed. | Our organisation installs anti-malware software to automatically scan files when they are accessed. |
Our organisation configures locally installed anti-malware software or a gateway anti-malware service to scan incoming and outgoing emails for malware. | Our organisation configures locally installed anti-malware software or a gateway anti-malware service to scan incoming and outgoing emails for malware. |
Our organisation ensures that all software applications installed on the organisation's devices are in current support by the vendor and eligible to receive fixes for security problems. | Our organisation ensures that all software applications installed on the organisation's devices, such as computers, laptops, servers, tablets and smartphones are in current support by the vendor and eligible to receive fixes for security problems. |
Our organisation reviews each internal application or service that is accessible externally through our network boundary at least termly. | Our organisation reviews each internal application or service that is accessible externally through our network boundary firewall and removes them when they are no longer required. This happens at least termly. |
Amended information panel
Statement | Original information panel | Revised information panel |
Our organisation reviews each internal application or service that is accessible externally through our network boundary at least termly. | Where external access to applications or services is required by people working from home or remotely, this should only be granted following thorough justification, assessment and mitigation of risk through a business case. Access rules should be reviewed at least termly, to ensure it is still required and acceptable. |
Not removing applications or services when they are no longer in use runs the risk of them being forgotten about. When this happens, they might stop being updated exposing vulnerabilities to the network. |
Additional statements to meet the requirements of the DfE cyber security standards
Our organisation keeps an up-to-date record of network diagrams, configuration settings, and IP addressing information. |
Our organisation ensures our boundary firewall firmware is supported by the vendor and kept up-to-date. |
Our organisation maintains only essential firewall rules, ensuring each rule is documented and has undergone a comprehensive risk assessment. |
Our organisation manages browser settings so that security requirements are enforced. This prevents users from installing unauthorised extensions or bypassing security features. |
Our organisation's business or finance function records license expiry dates in the contracts register and uses these to ensure timely renewals and to budget for any renewal costs. |
Our organisation captures software and operating system end-of-support dates in the asset register. |
Our organisation ensures that any devices running software that is out of support are segregated. This could involve placing them on a separate network and blocking internet access. We only continue to use such software if there is a documented and approved business need. |
Australia and New Zealand
Soft launch of cyber score
- Cyber score has been tailored for Australian and New Zealand schools and is now available for schools to preview via a demonstration from the Secure Schools team.
- For schools in Australia, we have added statements to meet the requirements of the Essential 8 mitigation strategies at Maturity Level One.
Global
- We have improved the cyber score onboarding process. This includes adding an explanation about what cyber score is and improving the onscreen text that explains its elements.
April 2025
- Preview the phishing simulation templates.
- Reminder emails to sign policies.
- Updated policies for UK schools.
Preview the phishing simulation templates.
Admins and owners
- When setting up the phishing simulations, there is now a Preview button on the set-up screen.
- Clicking this opens a preview window, and clicking the link on the preview shows the screen that colleagues will see if they fall for the simulation.
Reminder emails to sign policies
- Email reminders will be sent to any colleagues who are yet to sign any of the policies shared with them.
- These emails are sent on Mondays and collate all unsigned policies into a single email.
Updated policies for UK schools
- UK policies have been updated to align with changes to the following. This applies to UK schools only as these expectations are only relevant there.
- The Department for Education’s cyber security standards.
- The new Willow question set for Cyber Essentials.
- The closure of the ESFA.
Visit our community to read about previous updates we have made.