School and college security guidance – risk assessments and business continuity plans
10th July, 2026
The Department for Education has recently produced updates to the school and college security guidance.
Two themes are particularly significant: the need for robust and regularly reviewed security risk assessments, and the requirement for schools and colleges to have effective business continuity plans that enable them to respond and recover from serious incidents.
These two elements are closely connected. A good risk assessment identifies what could happen and how likely or damaging an event might be. A business continuity plan ensures that, if an incident does occur, the organisation can respond effectively, protect its community and return to normal operations as quickly as possible.
The importance of security risk assessments
The starting point for effective security management is understanding risk. The updated guidance advises schools and colleges to apply the same structured approach used for health and safety risk assessments when considering security matters. This involves identifying possible incidents, considering their likelihood and impact, and introducing measures to eliminate or reduce the risk wherever possible.
The guidance highlights that risks may arise from both inside and outside the education setting. Schools and colleges should consider threats that could occur on their premises, as well as external events that could affect their ability to operate safely. This includes considering risks such as vandalism, arson, cyber-attacks, serious incidents involving weapons and terrorist attacks.
Importantly, the assessment should not be limited to the school buildings alone. The guidance states that security risk assessments should extend beyond the estate because external incidents may have a direct impact on school or college operations. For example, events occurring nearby may require a school to implement emergency procedures, alter normal operations or provide additional support to those affected.
A proportionate and practical approach to risk
The guidance recognises that every school and college is different. Security arrangements should reflect the size, location, character and circumstances of the individual setting. A large urban college may face different challenges from a small rural primary school, and therefore security arrangements must be based on realistic assessment rather than a standard approach.
The purpose of a risk assessment is not to remove every possible risk, which is unlikely to be achievable. Instead, it is about reaching a balanced view of the risks faced and putting sensible and proportionate measures in place. Once risks have been identified, they should be prioritised and appropriate controls introduced. The guidance highlights that schools and colleges should keep security plans and risk assessments under review so that emerging issues can be identified early and arrangements updated when necessary.
This review process is particularly important because the security environment can change. Changes to the school site, staffing, pupil numbers, technology or local circumstances may introduce new risks or alter existing ones. A risk assessment should therefore be viewed as a living document rather than a one-off exercise.
Leadership, responsibility and the role of competent persons
The updated guidance identifies the importance of having a competent person, or persons, responsible for health and safety and security. This role may or may not be held by the same individual, but those responsible should have appropriate subject knowledge, training and experience to manage risks effectively.
The competent person should ensure that security arrangements:
- Identify the likelihood of security-related incidents occurring
- Assess the potential impact of those incidents
- Develop plans and procedures to manage and respond to threats
- Ensure that business continuity arrangements are in place.
Where specialist knowledge is required, schools and colleges should seek appropriate support. The guidance identifies that advice may be obtained through local authorities, partnership working arrangements or the police. The guidance encourages staff and, where appropriate, students to understand their role in maintaining a safe and secure environment. Everyone should be familiar with the expectations set out in the security policy and plan.
Business continuity planning
While risk assessments help prevent and reduce incidents, schools and colleges must also prepare for situations where disruption occurs. The updated guidance identifies business continuity plans as an integral part of security planning.
A business continuity plan should explain how a school or college will respond to and recover following a security-related incident. It should set out what actions need to be taken, who is responsible for decisions and how the organisation will move from immediate response towards a return to normal operations.
A serious incident may affect a school or college in many ways. Immediate priorities may include protecting pupils, students and staff, managing communication and responding to emergency services. However, the longer-term effects may continue well beyond the initial incident.
Effective business continuity planning should therefore consider:
- Immediate actions required during an incident
- Short-term arrangements to maintain essential functions
- Medium and long-term recovery arrangements
- Responsibilities of key individuals
- Communication with staff, students, parents and other stakeholders.
A plan should provide confidence that, even during a challenging situation, the school or college has considered how it will continue supporting its community.
The importance of recovery planning
The guidance places emphasis not only on responding to incidents but also on recovery. Returning to normality following a serious event can be complex, and the emotional impact on staff, students, and parents should not be underestimated.
Business continuity plans should therefore consider the support that may be needed following an incident. Leaders managing recovery may themselves be affected while also supporting others, making it important that arrangements identify available professional and specialist support.
Recovery should also include reviewing what happened and learning from the experience. The guidance recommends that schools and colleges carry out post-incident evaluation, bringing together key individuals to review how effectively security plans operated and identify improvements.
Conclusion
The updated school and college security guidance reinforces the importance of preparation, planning and resilience. Effective security is achieved through understanding risks, implementing proportionate controls and ensuring that everyone understands their role in maintaining a safe environment. Security risk assessments provide the foundation by identifying threats, assessing their impact and supporting informed decision-making. Business continuity plans then provide the framework for responding when disruption occurs and ensuring that recovery is managed effectively.
For school and college leaders, the message is clear: security planning should be an active and ongoing process. By regularly reviewing risks, testing arrangements and ensuring that continuity plans are in place, educational settings can strengthen their ability to protect their communities and continue delivering education even in difficult circumstances. If you would like any support with the preparation of risk assessments or business plans, or indeed managing a security incident, our education lawyers are here to help.
Please note that this briefing is designed to be informative, not advisory and represents our understanding of English law and practice as at the date indicated. We would always recommend that you should seek specific guidance on any particular legal issue.
This page may contain links that direct you to third party websites. We have no control over and are not responsible for the content, use by you or availability of those third party websites, for any products or services you buy through those sites or for the treatment of any personal information you provide to the third party.
Topics:
Follow us on LinkedIn
Keep up to date with all the latest updates and insights from our expert team