The 9ine Blog

9ine helps thousands of school leaders and IT teams protect their stakeholders and constituents by publishing critical changes, updates and best practice blogs. 

Subscribe to 9ine's monthly newsletter, 9News to receive monthly blogs delivered right in to your inbox.


Woman.Tightrope 2

Risk management - how to effectively manage cyber security risks in your school

The following is the first in a series of blogs where 9ine explore how schools can implement technical and organisational changes in order to further protect the confidentiality, integrity and availability of your information and information systems. We will be building upon each stage of the UK’s National Cyber Security Centre (NCSC) 10 Steps to Cyber Security, and in turn, provide our independent recommendations, examples and guidance.

In our previous blog, “How secure is your school from cyber attacks?” we outlined that schools need to move from defensive to offensive measures against cyber attacks and to further protect against data breaches. The first step listed was to identify all your vulnerabilities; how to do this was captured in, “How To Assess Your School's Vulnerability To Cyber Attacks." Once your vulnerabilities have been identified and assessed against the likelihood and impact of a threat, you will have determined your risks. These risks need to be captured, prioritised and proactively managed through school policies, processes and a central risk log.

In this first blog following the NCSC guidance, we look at risk management and how effective risk management will help your school prioritise the actions required to further protect your data and network from identified vulnerabilities. By following recommended codes of conduct, you will be demonstrating a level of compliance with data protection law and the associated cyber frameworks.

What are the key benefits of maintaining and managing a risk log?

  • A risk log allows your individual departments to capture their issues and risks
  • A central repository of all risks enables prioritisation and identification of common issues
  • Rationalisation will lead projects and mitigating actions based on a risk assessment and can be managed across the school as a whole
  • Risk management will help forecast both financial and resource planning
  • The risk register provides a mechanism for evidencing to your school board/governors and regulatory authorities that you are actively identifying and managing risks


What are the main stages involved in risk management?

There are many risk management frameworks available, it is our interpretation that they broadly follow the below cycle.

Risk Management_Graphics-01

Identify - the school should assess organisational and technical systems and services for vulnerabilities to data and cyber breaches

Analyse - the vulnerabilities should be assessed against their likelihood, impact and severity if realised to determine their overall risk to the school

Action - all identified risks should have a risk owner, mitigating action, timescale to implement and an appropriate action owner assigned

Monitor - organisations need to put in place ways of monitoring and assessing the ongoing effectiveness of their risk response. Are your current technological actions still sufficient? Are the organisational measures you put in place being implemented and followed?

Control - controls are put in place to modify the risk and they generally fall under one of the following measures: preventative, detective or reactive

The above is a cyclic process and only through following a defined and documented policy, process and procedure, can you demonstrate an effective risk management regime within your school.



What should we be looking for in our risk management regime?

Firstly, identify if your school has an up-to-date and active risk policy, process, procedure and risk log.
This may be something that has not been disseminated throughout the school and may only currently be held at board level. Equally, some schools may have isolated risk registers that are used in isolation and do not feed into a central repository.

Secondly, in order to implement and embed, or to check that you have an appropriate risk management regime across your school, you should ensure that you have:

  • A risk management policy
  • A risk management process and procedure
  • Individual department risk logs
  • A centrally managed risk register
  • Identified risk and action owners
  • Regular meetings
  • The support of the school's board/governors

These policies, processes and procedures need to be supported by an empowered school governance structure, which itself is actively supported by the board of directors or governors. Once agreed by senior leaders and the board of directors or governors, the risk management regime should be clearly communicated to all employees, contractors and suppliers to ensure all are aware of the approach, how decisions are made, and any applicable risk boundaries.


In summary

All risks and issues should be tracked. Schools should have a mechanism in place for raising awareness to the board/governors, and all identified risks should be prioritised against a supporting action plan. Identification, classification and the use of a risk-based methodology are key in the active management of risks. Effective risk management is identified as a key stage in cyber security frameworks and guides such as the EU NIS Directive (A2), NIST Risk Management Framework (RMF) and the NCSC 10 Steps to Cyber Security.

By identifying and logging your risks, you will be able to provide evidence to any regulatory authorities that there were plans in place to resolve the risk, should that vulnerability ever be exploited prior to your planned resolution.

Vulnerability identification, assessment, actions plans based on risk assessment and management, are all key elements in all of 9ine’s services. Contact our team if you would like to hear more about the setup and management of risk within your school.

For more information about our Cyber Defence Essentials Services or other Security initiatives such as Data Loss Prevention, Advanced Threat Protection, End User Email Digest Solutions and our recommendations on configuring Office 365, please contact

New call-to-action