Cyber Security: A sample policy template for centres 

Cyber security is essential to protect exam systems, personal data, and awarding organisation services. This guidance supports centres in understanding their responsibilities and setting out clear, proportionate measures to reduce cyber security risks. It explains who this applies to and what centres need to have in place, with a sample policy provided to help you…

How to use the sample policy

The Sample Centre Cyber Security Policy is provided as a template to support centres that need to create or review their own policy.

Centres should adapt the template to reflect their local arrangements, systems, and governance structures. Sections marked for completion must be customised before the policy is adopted.

Download the Cyber Security policy template (Word)

Why cyber security is important

Cyber security helps protect exam systems, personal data, and awarding organisation services from disruption, loss, or misuse.

Centres routinely access awarding organisation systems and handle sensitive information relating to candidates, staff, and assessments. A cyber security incident. such as unauthorised access, data loss, or phishing. can affect exam delivery and place personal data at risk.

This guidance supports centres in understanding their responsibilities under UK data protection and safeguarding requirements, and in taking reasonable steps to protect systems used to administer examinations.

Who this guidance is for

This guidance is for schools, colleges, and other examination centres that access awarding organisation systems or handle examination-related data.

It applies to everyone within a centre who has access to IT systems or information used for exam administration, including senior leaders, exams officers, IT and data protection staff, teaching and support staff, governors, and other authorised users.

What centres need to do

Centres should have an appropriate cyber security policy in place that reflects their size, systems, and local context.

If your centre already has a cyber security policy, you do not need to adopt the sample policy provided. However, your existing policy must include a requirement for staff who access awarding organisation systems to complete cyber security training each year.

At a minimum, centres should ensure that their arrangements:

  • clearly set out roles and responsibilities for cyber security
  • include proportionate technical and access controls
  • require annual cyber security training for staff
  • explain how to report and respond to suspected incidents
  • are reviewed regularly and kept up to date.