School security policy: guidance and examples

This article explains your responsibilities for managing and responding to security-related incidents, including which policies you’re expected to have.  

It’s based on the DfE guidance School and college security, which brings together guidance on health and safety and security as it applies to schools.

There’s no set definition of ‘security-related incidents’, but in general it refers to any situation posing a risk of harm to your school (both the physical infrastructure and your staff and pupils). This includes:

• Vandalism
• Arson
• Cyber attacks
• Serious incidents with a weapon
• Terror attacks

Part of the process of writing your security policy is considering what your school’s specific local risks are.

What is a security policy, and do I need to have one?

It’s not on the list of statutory policies for schools and academy trusts but the DfE guidance says it’s ‘important’ for schools to have a policy and plan in place. The policy should:

• Balance the need to protect your school community with the need to remain a welcoming and open place
• Help to create a culture in your school where staff and students understand why it’s important to think about their safety and the safety of others. Read more about creating your school culture in this DfE report
• Show that you understand the issues that might affect your school by including risk assessments on internal risks (such as pupils bringing weapons) and external risks (such as terrorist attacks)
• Include relevant security procedures for the risks you’ve identified. You may be able to draw from your existing policies and procedures – for example, your emergency evacuation procedures for fires and your emergency or critical incident plan
• Be clear about how staff, students and the local community are expected to respond. This may mean adapting PSHE lessons to include security issues, running practice drills, and offering staff additional training (more on this below)
• Make use of your local authority or academy trust’s expertise, as well as that of police and other relevant organisations

There’s no set requirement to review the policy, although you should ‘routinely’ review your security arrangements, policies and plans. For example, you may decide to review the policy at the same time as your health and safety policy.

Who’s responsible for security?

Your competent person: you should have a named, competent person who leads in health and safety, and security – although it doesn’t necessarily have to be the same person covering both areas. This person will work with your designated safeguarding lead as required.

Staff and pupils should take personal responsibility for their own safety and security, and for those around them. Staff and pupils should understand what’s expected of them and be aware of security policies and plans that affect them. You could use school assemblies, lessons, and staff meetings to make sure everyone understands what to do.

All staff should know what to do in the event of an incident or potential incident, including who to contact and how, how to raise an alarm and what to do it they have a concern.

Senior staff: should understand your school’s security networks and be able to judge whether changes made in school affect your security policy and how it’s implemented.  

Provide security training for all staff

This should be relevant to the risks identified for your school.

Your competent person (or persons) responsible for health and safety, and security, should also receive ‘appropriate training’. Work with your local authority or academy trust to find training providers. 

All staff should have appropriate security training, so that they know:

• How to protect themselves and students from harm
• How to protect your premises 
• When to contact police and other emergency services

• Who to contact, and how
• How to raise an alarm to alert staff and pupils, if relevant
• Who is responsible for communicating with parents, family members (where appropriate), and statutory organisations (such as police and local authorities)
• Use of social media and handling the press

You could do this by having your responsible person run a training session to explain agreed procedure and answer any questions. 

Download and adapt our staff briefings, which include 30-minute presentations, staff handouts and assessments to help you train staff. These cover areas including:

• Health and safety for teachers and TAs
• Basic fire safety
• Risk assessments
• Cyber security for school staff

How do we identify risks?

You should already be familiar with and understand how to fill out a health and safety survey and risk assessment. Your competent person, or a delegated member of staff, should apply the same approach to security by determining:

• The type of incident your school may face
• The frequency and probability of it happening
• Measures to eliminate or reduce risk

These assessments should extend beyond your premises to include external incidents and cyber security risks.

Have a look at the guidance on potential security threats and preventive measures and use the example risks to start your risk assessments. 

To help kick off the process, download our template health and safety audit.

Build relationships with your local community

Working with your local community to gather and share security-related information means you’ll have more information to help put together your policy and make sure it reflects local issues and threats (for example, local gang-related violence or ethnic tensions).

Partners might include:

• Local police
• Your local authority
• Neighbouring schools and colleges
• Your local resilience forum (multi-agency partnerships made up of representatives from local public services, including the emergency services, local authorities, the NHS, the Environment Agency and others)

What else should we be doing?

Other questions to ask when forming your policy

Our thanks to our associate education experts, Peter Foale and David New, for their help with this section. We also referred to information from the DfE and the Institute for School Business Leadership (ISBL).

Who should our key holders be?

It’s up to your school to decide who your key holders should be. Typically this tends to be senior leaders, office managers, site managers or caretakers. A DfE representative told us this.

You can include who they are in your security policy.

Double check whether your LA or academy trust has any additional guidance that you need to follow around key holders, such as regularly updating them on who your current key holders are. 

Can non-employees be key holders?

Check whether this is permitted by your LA or trust.

If the nominated person isn't an employee you should:

• Use your health and safety policy to complete a risk assessment on them
• Decide whether or not they need a DBS check
• Seek advice from your insurance company
• Make sure that your school’s insurance isn’t negatively affected

Bear in mind that your insurer may insist on a DBS check.

Do we need to include information about our electronic access system (e.g. keypads and access cards)?

If your school has an electronic access system, information about it doesn't have to be included in your policy. However, if you do choose to include it, your policy should explain:

• The aim of the system
• Who will monitor it and what they'll be looking for
• How often the system’s information will be reviewed
• That all personal data the system gathers will be treated in accordance with the UK General Data Protection Regulations (UK GDPR)
• That the policy should be read along with the school’s data protection policy
• Who will be granted access to keys, key cards and codes, at what level and at what times 

If the system is used for staff registration, you should consult with staff and unions about how this will work and address any concerns before setting it out in a policy.

Keep in mind that a system may not be foolproof, because many people can walk through a door that 1 key card or password has opened.

See examples from primary schools

Miles Coverdale Primary School in Hammersmith and Fulham has a security policy that includes guidance for pupils, staff and visitors. It also covers:

• Security of equipment inside and outside school buildings
• Security during whole-school events, such as parents' afternoons
• How security strategies will be monitored

St George's Primary School in Wirral has a school security policy that sets out the legal framework for the policy and explains the responsibilities of the governing board, headteacher, staff members, the competent person, pupils and parents. It then covers a wide range of topics, including:

• Working with other agencies
• E-security, including the use of CCTV
• Removing people from the premises
• Violent crime 

See examples from secondary schools

Woking High School in Surrey has a security policy which includes a table laying out responsibilities and duties among the governors and staff (page 3) as well as sections detailing arrangements for:

• Visitor security procedures
• Offensive weapons
• Reporting and recording incidents

The Toynbee School in Hampshire has a security policy which includes:

• Security of the building
• Alarm call-outs
• CCTV
• Car parking and vehicle movement
• Offensive weapons
• Theft and burglary