Training requirements for the DfE RPA scheme

One of the four conditions that must be met for cyber threat cover to be included in the DfE’s risk protection arrangement (RPA) is that relevant people in school must be appropriately trained in cyber security.

Who must undertake training?

Any employee or governor who has access to the school’s IT systems must complete NCSC Cyber Security Training by the start of the school’s membership year.

The training course is free from the NCSC website and available in two formats. There is a scripted presentation pack for group delivery. The presentation pack can be used by schools to help teach school staff at in-person or virtual group sessions such as INSET days or staff meetings.

Alternatively, there is a self-learn video on YouTube for staff to complete by themselves. The self-learn video includes the same content as the presentation pack but can be undertaken by staff at a convenient time for them.

Key points to remember about the training

  1. All employees and governors who use the school’s IT systems must complete the training.

  2. Upon completion, each person MUST obtain their certificate of completion and add their name. In the event of an RPA claim for a cyber incident the school will be required to provide the certificates as evidence.

    The NCSC page has a link to the certificate, it is linked to in the description field of the YouTube video, or it is in the last slide of the PowerPoint presentation.

    A school or multi-academy trust (MAT) could download a template copy to use itself if simpler.

  3. Schools or MATs need to keep a record and copy of each certificate. Best practice suggests keeping this in an offline file store separate from the main school data, that is easily accessible in case of a security incident (e.g. a secure USB key). This method will ensure that in the event of a ransomware attack the certificate store is still available.

  4. Make the training part of the induction process for any new starter, to be completed BEFORE they have access to the computer systems.

  5. Remember to update the certificate store with the new starters’ certificates.

To speak to one of our experts about how to ensure you meet the requirements of the RPA, contact us.

We have published blog pieces on the other elements of the RPA cyber protection. They cover:




back to top button
back to top button