How to write a cyber security action plan that schools can actually deliver

A cyber security action plan is a short, prioritised set of actions that reduces real-world risk, with named owners and clear timescales.

Schools and trusts often have plenty of cyber guidance, audit findings, and supplier recommendations. The missing piece is usually the same: a plan that leaders can own, fund, monitor, and deliver.

Who this is for: Headteachers, senior leaders, school business professionals, trust leaders, governors, and IT leads.

Start with the right question

A cyber security action plan is not an IT shopping list. It is a leadership document that answers:

Which risks are we reducing first, and how will we know we have reduced them?

If the plan can only be understood by IT staff, it is probably not a plan. It is a backlog.

Be clear what the plan is (and is not)

It is

A short list of prioritised actions
Time-bound and measurable
Owned by named roles, not “IT”
Reviewed through governance
Focused on outcomes and risk reduction

It is not

A policy or staff handbook
A risk register
A technical audit report
A list of controls with no prioritisation
A document written once and never reviewed

Gather your inputs

You only need three things to start:

Your most significant cyber risks
An honest view of what you can evidence today
Relevant national guidance to define good practice

Do not aim for perfection. Aim for something that is good enough to govern and improve over time.

Turn guidance into actions

National guidance explains what good looks like. Your action plan decides what you will do next, in your context.

Guidance expectation	Current position	Action wording
Backups should be reliable and recoverable	Backups exist but restores are not tested	Introduce termly restore tests and record outcomes
Access should follow least privilege	Too many staff have admin-level access	Remove unnecessary admin rights and introduce a request process
Incident response should be prepared	No agreed roles or communications approach	Create a simple incident response playbook and rehearse it

Write actions that can be delivered

If you cannot tell when an action is complete, it is not written clearly enough.

A weak action: “Improve cyber security”

A stronger action: “Implement MFA for all staff accounts and confirm coverage”

Field	What it should contain
Action	One sentence describing what will change
Risk reduced	The specific risk this addresses
Owner	A named role with responsibility
Due date	A realistic timescale
Evidence	What will demonstrate completion

Prioritise and sequence

Safeguarding and data protection first
Resilience before optimisation
High impact before high effort
Document conscious deferrals

Make it governable

A cyber security action plan only works if it is reviewed and supported through normal governance.

Agree where it is reviewed (SLT, board, committee)
Track progress consistently
Record decisions and constraints

Common reasons plans fail

Issue	Why it happens	Better approach
Too technical	Leaders disengage	Write actions as outcomes, not tasks
No ownership	Actions drift	Name responsible roles and review regularly
No prioritisation	Everything feels urgent	Reduce to what genuinely matters most

How this fits with wider expectations

This approach supports DfE technology standards, EdFITS principles, and safeguarding expectations by focusing on leadership ownership, risk reduction, and delivery.