School security in 2026 is more legislatively complex, more technologically capable, and more consequential than it has ever been. This guide covers the complete picture: the laws you must understand, the systems available to you, how to procure and budget effectively, and how to manage what you have in place. Whether you are reviewing your current provision or starting from scratch, this is the reference you will return to.
School security sits at the intersection of four distinct legislative frameworks. Understanding each one clearly is the starting point for any credible security strategy. They overlap, reinforce each other, and in some areas create tensions that require careful management. A headteacher or business manager who understands the framework is in a much stronger position to make good decisions, defend them to governors, and hold suppliers to account.
KCSiE is the statutory safeguarding guidance that applies to all schools and colleges in England. The 2025 version came into force on 1 September 2025 and is the current statutory document schools must follow. A draft of KCSiE 2026 was published for consultation in early 2026, described by some safeguarding leads as a significant overhaul, but it is not yet in force. Schools must continue working to KCSiE 2025 until the 2026 version is formally enacted.
KCSiE requires schools to provide pupils with a safe physical environment. In practice this means robust measures for site security, controlled access for visitors, and the ability to know who is on site at all times. Paragraph 308 specifically addresses visitor management and requires schools to have processes in place to identify and supervise visitors that ensure appropriate safeguarding measures are in operation. The guidance does not mandate specific technology, but it establishes obligations that paper-based systems cannot reliably meet. A paper sign-in book cannot tell you in real time who is currently on site. A properly configured access control system can.
The 2025 update also included more explicit cyber security wording and strengthened the expectation that DPIAs are completed for technology used in safeguarding contexts. Schools deploying AI analytics in their CCTV systems should ensure they have completed the required data protection impact assessment before going live.
Schools must have documented procedures for site security and visitor management that are implemented consistently. The evidence base an Ofsted inspector or ISI inspector expects to find includes: a written CCTV policy, an access control policy, a visitor management process, and evidence that the people responsible for implementing them have received appropriate training. The physical systems are the infrastructure that makes the documented procedures credible.
The Terrorism (Protection of Premises) Act 2025 received Royal Assent on 3 April 2025. The 24-month implementation period means enforcement begins in April 2027. Every school that can reasonably expect 200 or more people on site at any one time is within scope, which means most primary and secondary schools fall under the Standard Tier.
It is important to understand precisely what Martyn's Law requires, because there is widespread misunderstanding in the sector. The Act does not legally require you to install any physical security measures. What it requires are documented procedures covering evacuation, invacuation, lockdown, and communication, along with staff awareness training and the appointment of a responsible person who notifies the Security Industry Authority. The school must also be registered with the SIA before enforcement begins.
The reason physical security still matters, however, is straightforward. A lockdown procedure that relies on staff manually securing dozens of doors across a large campus within seconds of an alert is a procedure that will fail under pressure. The physical infrastructure, including electronically controlled door locks, a reliable site-wide communication system, and CCTV coverage of approach routes and key areas, is what makes the documented procedure actually workable. Schools that have their procedures in place but lack the physical capability to execute them are compliant on paper but vulnerable in practice.
The DfE published non-statutory guidance titled Protective Security and Preparedness for Education Settings in April 2025, covering RUN HIDE TELL protocols, invacuation procedures, grab kits, and post-incident welfare. All school leaders should be familiar with this document regardless of Martyn's Law scope. For a detailed guide to what the Act requires, see the Martyn's Law guide for schools.
Every school that operates CCTV is a data controller processing personal data. That creates obligations under UK GDPR and the Data Protection Act 2018 that many schools do not fully understand. The Data (Use and Access) Act 2025 reinforced and in some areas extended those obligations.
The practical requirements for school CCTV operators are: a lawful basis for processing (legitimate interests is the most appropriate basis for school security CCTV, but it requires a Legitimate Interests Assessment), a written CCTV policy that covers the purposes of the system, retention periods, access controls, and the process for handling Subject Access Requests, ICO-compliant signage at all camera locations, and a Data Protection Impact Assessment for any system using AI analytics or processing special category data.
Retention periods matter practically as well as legally. The standard for school security CCTV is 31 days. Shorter periods reduce storage costs but reduce usefulness: a safeguarding concern identified three weeks after an incident cannot be investigated with footage that has already been overwritten. Longer retention periods require specific justification and proportionality assessment. The 31-day standard is both compliant and operationally sensible for most schools. For a detailed guide to CCTV data protection compliance, see the ICO requirements guide.
Every school must have a written fire risk assessment, reviewed annually or when significant changes occur, and a fire detection and alarm system that reflects the findings of that assessment. The technical standard is BS 5839-1:2025, which replaced the 2017 version on 30 April 2025. Most mainstream schools are expected to have at minimum a Category L3 system providing automatic detection in escape routes and rooms that open onto escape routes, plus manual call points throughout.
The 2025 revision introduced several changes relevant to schools, including a clear preference for smoke detectors over heat detectors in sleeping areas (relevant for boarding schools), mandatory fire-resistant cabling for alarm circuits, and updated competence requirements for engineers working on fire alarm systems. Schools whose systems were installed before 2025 should check with their maintenance provider whether any remediation is required to meet the current standard.
A development worth noting: the Fire Industry Association published guidance in 2025 on using fire alarm systems to signal lockdown alerts under Martyn's Law. The guidance references BS 5839-1:2025 Clause 5a, which requires that lockdown alarm signals be clearly differentiated from fire evacuation signals. Schools exploring dual-use alarm systems should ensure any such configuration is designed by a qualified engineer and documented in the fire alarm logbook.
The starting point for any security strategy is not technology. It is an honest assessment of the specific risks your school faces. A school on a busy urban street with a history of theft and ASB has different priorities from a rural primary on a quiet lane. A large secondary with 1,800 pupils and regular public events has different Martyn's Law obligations from a small primary with 200 pupils. Security investment that is not anchored in a genuine risk assessment tends to over-invest in visible deterrents and under-invest in the unglamorous infrastructure that actually makes a difference.
The DfE's guidance recommends conducting a site-specific risk assessment before developing any security or preparedness plan. That assessment should address the probability and potential impact of different incident types: unauthorised access, vandalism and theft, safeguarding failures enabled by security gaps, and the lower-probability but higher-consequence threat of a major incident. It should also address your site's specific vulnerabilities: unsupervised entrance points, poor lighting, areas without camera coverage, and legacy systems that no longer function as designed.
A useful benchmark: research using Freedom of Information requests to UK police forces found that educational settings are consistently among the most frequently targeted premises for theft and burglary. The pattern is predictable: holiday periods and weekends, when sites are unoccupied and monitoring is lowest, account for the majority of incidents. A school that has not reviewed its security posture during holiday closures is addressing the wrong problem.
Your incident log is a primary data source for this assessment. Most schools maintain one but few analyse it systematically. Three years of incident data, mapped by location, time, and type, will show you patterns that are not visible when incidents are recorded and filed individually. A free tool to help with that analysis is available at the incident analyser.
A professional security site survey is the most efficient way to conduct this assessment with confidence. A properly qualified surveyor will review your site systematically, identify vulnerabilities that are not obvious from the inside, and produce a prioritised recommendation that gives you a defensible basis for investment decisions. Fyrfly offers free site surveys for schools across the South East.
CCTV is the most visible element of school security and, as a result, the one most frequently specified incorrectly. The metrics that appear in quotes, resolution figures and camera counts, tell you almost nothing about whether a system will work for your school. What matters is coverage, retention, management, and integration.
Coverage means every area identified in your risk assessment is monitored by a camera that can clearly see what needs to be seen. This sounds obvious but it is frequently not achieved in practice. Common gaps include: entrance points that are covered by a camera pointing at the wrong angle, car parks where camera height means the roof of a van obscures the activity behind it, perimeter areas where coverage ends 20 metres from the actual boundary, and internal areas where cameras cover corridors but not the specific rooms where valuable assets are stored.
Coverage is specified correctly by starting with a site plan, identifying every area that needs monitoring and defining what each camera must be able to see, and then working out camera positions that achieve that coverage. Not the other way around. A supplier who asks you how many cameras you want before discussing what you need to see is specifying the system wrong.
31 days is the standard retention period for school security CCTV. This is both the ICO's guidance for proportionate retention and the operationally sensible minimum for a school environment, where safeguarding concerns may come to light weeks after the relevant incident. Shorter periods save storage costs but reduce the system's usefulness when it is needed most. Specify 31 days as a minimum requirement in any procurement.
A system that cannot be used by the people responsible for it is not functioning as a security system. Ask any prospective supplier to demonstrate how footage from a specific camera at a specific time is located and exported. This should take under five minutes, require no specialist knowledge, and produce an output that is usable as evidence. If a demonstration takes longer than that or requires the supplier to operate the system for you, the management interface is not fit for a school environment.
AI-powered analytics are increasingly available as standard in modern CCTV platforms. Loitering detection, perimeter breach alerts, crowd density monitoring, and vehicle recognition can add genuine value in a school context, particularly for out-of-hours monitoring and perimeter security. The critical point is that these features require a Data Protection Impact Assessment before deployment, and their use must be covered in your CCTV policy. For a plain-language guide to what AI analytics actually does and where it adds value, see the AI analytics guide. For a practical guide to specifying the right system, see how to choose a school CCTV system.
Most schools have some form of access control. Most of it is not adequate. A buzzer on the main gate with a receptionist looking at a grainy screen is a form of access control. So is a networked system with smart credentials, visitor management software, time-based permissions, and real-time integration with CCTV. The gap between those two descriptions is large, and which end of it your school sits on has direct implications for your KCSiE compliance and your Martyn's Law readiness.
A properly specified access control system replaces mechanical keys with digital credentials that can be activated and deactivated instantly from management software. It logs every access event with a timestamp, a credential identifier, and the door that was opened. It enforces time-based restrictions so a contractor who should only be on site between 8am and 5pm cannot enter the building at 11pm. It supports visitor management with a pre-arrival screening process, a photographic record, and a host notification. And it integrates with CCTV so that every door opening is accompanied by a captured image of the person who opened it.
The KCSiE implication is direct. The guidance requires schools to know who is on site at all times. An access control system with a live occupancy record, showing every person currently on site by name and credential type, meets that requirement in a way that a paper sign-in book cannot. It also generates the audit trail that an Ofsted or ISI inspector can examine as evidence of compliant visitor management.
Proximity cards and fobs are the most common credential in UK schools. They are durable, inexpensive to replace, and straightforward to use. The main risk is that they can be shared or lent, which undermines the audit trail. PIN codes are the least secure option and should not be used as the primary credential for any entrance with meaningful access to pupils. Biometric credentials, fingerprint or facial recognition, offer the highest security because they cannot be shared, but they involve processing special category data and require specific GDPR compliance steps before deployment. Mobile credentials using smartphone apps are increasingly common for staff in workplace environments, though less widely deployed in schools. For a detailed guide to credential types and system components, see the access control buying guide.
Martyn's Law compliance depends in practice on the ability to secure your building quickly and reliably. Electronically controlled door locks that can be activated from a central point, or automatically in response to an alarm trigger, are the physical infrastructure that makes a lockdown procedure credible. Without them, a lockdown depends on staff running to secure individual doors manually, which is both slow and unreliable. Specify lockdown capability as a functional requirement, not an optional extra, in any access control procurement.
Intruder alarms are the least glamorous element of school security and the one most frequently taken for granted. Most schools have one. Fewer schools know whether it is working correctly, whether its coverage reflects the current layout of the building, or when it was last properly maintained.
An intruder alarm that was installed a decade ago and has not been reviewed since is almost certainly not providing the coverage it was designed to. Schools expand, repurpose rooms, add temporary structures, and change their out-of-hours use patterns. The detector zones that made sense in 2015 may leave significant areas unprotected today.
The practical questions to ask about your current system are: when was it last inspected by a qualified engineer, does the coverage map reflect the current building layout, is it connected to a 24-hour monitoring centre, and what is the average police response time to an alarm activation at your site? If you cannot answer these questions confidently, a system review is overdue.
On monitoring: an intruder alarm that activates and sends a signal to an unmonitored dial tone is not providing meaningful protection. Police response to confirmed intruder alarms is significantly faster than response to unconfirmed activations. A connection to a professional ARC monitoring centre, with remote video verification that confirms an intrusion before alerting police, reduces false alarm callouts and improves response times when an incident is genuine. This is a managed service that adds a modest annual cost and a significant practical improvement to your protection.
Fire system compliance in schools is governed by the Regulatory Reform (Fire Safety) Order 2005, interpreted in practice through BS 5839-1:2025 and the DfE's Building Bulletin 100 guidance on fire safety design for schools. The responsible person, usually the headteacher, must ensure a written fire risk assessment is in place and reviewed annually, and that the detection and alarm system reflects its findings.
Most mainstream schools should have at minimum a Category L3 system: automatic detection in escape routes and rooms that open onto escape routes, plus manual call points throughout the building. Boarding schools and special schools typically require more comprehensive coverage. The 2025 update to BS 5839-1 introduced a preference for smoke detectors over heat detectors in sleeping areas, which is directly relevant to any school with residential provision.
A development that many school leaders are not yet aware of is the guidance published by the Fire Industry Association in 2025 on using existing fire alarm infrastructure for lockdown alerts under Martyn's Law. BS 5839-1:2025 Clause 5a now explicitly addresses this, requiring that any lockdown signal be clearly differentiated from the fire evacuation signal so there is no confusion during an incident.
The practical implication is that schools can use their existing fire alarm hardware to deliver lockdown alerts, provided the system is specifically configured and documented to do so. This can be more cost-effective than installing a separate communication system. However, it requires the involvement of a qualified fire alarm engineer and must be covered in the fire alarm logbook. Schools should not attempt this reconfiguration without professional guidance.
There is also an important operational principle to understand. In a fire, the response is evacuation: everyone leaves the building. In a Martyn's Law incident, the response may be invacuation: everyone moves to a designated safe room and doors are secured. These two procedures are fundamentally incompatible, and a system that cannot clearly differentiate between the two signals can cause the wrong response at the worst possible moment. This is not a theoretical risk. It is the specific scenario that BS 5839-1:2025 Clause 5a was updated to address.
The majority of schools that have been adding security systems over time end up with three or four separate systems that do not communicate with each other. CCTV from one supplier, access control from another, intruder alarms from a third, all operating independently and all requiring separate management interfaces, separate maintenance contracts, and separate support relationships. This is the most common and most costly mistake in school security.
A genuinely integrated system, where CCTV, access control, and intruder alarms operate as a single platform, is substantially more powerful than the sum of its parts. When a door is forced open, the nearest camera is automatically directed to capture the event and an alert is sent to the monitoring centre and to nominated staff. When an access credential is used at an unexpected time or location, the footage from the adjacent camera is flagged for review. When the fire alarm activates, fail-safe door locks release automatically. These responses are automatic, immediate, and reliable. They require no human intervention in the critical seconds after an event.
The practical implication for procurement is significant. If you are replacing one system, it is worth evaluating whether the investment makes more sense as part of a broader integration project. A new CCTV system installed without reference to your access control is a missed opportunity. A new access control system that cannot connect to your CCTV is a specification failure that will cost more to rectify later than it would have cost to get right first time.
For a detailed guide to what integration means in practice and where it adds the most value, see the integrated security systems guide.
Security procurement is where most schools lose money. A vague brief produces inconsistent quotes. Quotes that cannot be compared get assessed on price. The cheapest quote wins. The cheapest system turns out to be inadequate. Two years later the school is having the same conversation again.
The solution is a properly written specification that puts all suppliers on the same footing. A specification that defines the outcomes the system must achieve, the areas to be covered, the compliance requirements it must meet, the integration it must support, the questions all suppliers must answer in writing, and a pricing structure that requires costs to be broken down by category so they can be compared like for like.
On accreditations: any supplier installing security systems in a school should hold NSI NACOSS Gold or SSAIB approval for CCTV and access control, and BAFE registration for fire systems. These are not optional credentials. They are the benchmark quality standard that gives your governors confidence that the work has been done properly and provides a remediation route if it has not. Do not accept a supplier who cannot demonstrate current accreditation in the relevant discipline.
For the full specification process, including a template structure and the questions that separate good suppliers from the rest, see the school security specification guide. For guidance on making the financial case to your governors and finance committee, see the governor financial case guide.
The reluctance of security companies to publish indicative pricing is one of the most frustrating aspects of procuring in this sector. The reason is commercial: without a price anchor, buyers cannot benchmark a quote. Here are the honest indicative ranges for school security in the South East in 2026.
A basic CCTV installation covering the main entrance, car park, and key perimeter points of a typical primary school: £4,000 to £8,000 installed. A comprehensive system for a large secondary school with full perimeter coverage, internal cameras at key locations, AI analytics capability, and 31-day NVR storage: £25,000 to £55,000 installed. The range is wide because site complexity, cable runs, the number of cameras, and storage capacity all vary significantly. Annual maintenance contracts typically run at 10 to 15 per cent of installation cost.
A basic single-site system covering main entrance and two or three secondary doors with a simple visitor management interface: £6,000 to £12,000. A comprehensive multi-door system for a large secondary with full integration, visitor management, and lockdown capability: £20,000 to £45,000. Annual software licences and maintenance add £1,500 to £4,000 per year depending on system size.
A new intruder alarm installation for a typical primary school: £2,500 to £5,000. For a large secondary with multiple buildings: £8,000 to £20,000. Professional ARC monitoring adds £300 to £600 per year. This is one of the highest-value investments relative to cost in the entire security budget, and the one most frequently deferred.
A new Category L3 fire alarm installation for a typical primary school: £4,000 to £10,000. For a large multi-building secondary: £15,000 to £40,000. Annual maintenance and inspection costs to BS 5839-1:2025: £800 to £2,500 depending on system size.
When presenting security investment to governors or a finance committee, the comparison is not between the capital cost and zero. It is between the total cost of ownership over five years versus the cost of incidents the investment prevents. A single overnight break-in at a school results in average losses of £15,000 to £30,000 when property damage, replacement costs, insurance excess, and staff time are accounted for. A monitoring subscription at £400 per year that prevents one such incident in five years has paid for itself many times over.
A security system that is not actively managed degrades. Cameras drift out of alignment. Hard drives fill up and overwrite footage before the retention period is reached. Door controllers develop faults that go unreported because no one checks the logs. Access credentials remain active for staff who left six months ago. The system looks operational but is not providing the protection it was designed to deliver.
Active management means four things. First, someone in the school has named responsibility for the security systems, knows how to use them, and checks that they are functioning as expected on a regular basis. Second, maintenance visits are scheduled and carried out by accredited engineers, not deferred indefinitely because the system seems to be working. Third, the access credential list is reviewed and updated whenever a staff member, contractor, or regular visitor leaves. Fourth, footage retention is checked periodically to confirm the system is recording and storing footage for the specified period.
A planned preventative maintenance contract is not an optional extra. It is what keeps your system evidentially valid, your warranties intact, and your insurer's confidence maintained. The contract should include at minimum one annual visit per system, a defined response time for reactive callouts (four hours for a critical fault is the standard worth specifying), and clarity about what parts and labour are included. For the questions worth asking before signing a maintenance contract, see the CCTV maintenance guide.
Holiday closures are the highest-risk period for most schools. The combination of an unoccupied site, reduced monitoring, and predictable timing makes schools disproportionately targeted during these periods. Before every closure, the site manager should complete a security checklist: all cameras operational, all access credentials for temporary staff deactivated, monitoring centre notified of closure dates, and any remedial works from the last maintenance visit completed. For a full pre-closure checklist, see the school holiday security guide.
Governors have a duty of care and, in the case of maintained schools, a specific statutory responsibility for the safety of the school estate. The questions below are the ones a governor should be able to answer confidently after reviewing the school's security provision. If any of them cannot be answered, that is a gap that needs addressing before the next Ofsted or ISI inspection visit.
A note on this guide: school security law changes annually. KCSiE is updated every September. British Standards are revised. New legislation comes into force. This guide reflects the position in June 2026. It will be reviewed and updated annually. If you are reading this more than twelve months after the publication date, verify the legislative references against the current versions of each document before acting on them.
A free site survey is the most efficient way to find out. We assess your current provision against your legislative obligations, identify gaps in coverage or compliance, and give you a clear, costed picture of what needs to change. No obligation. No pressure to buy anything until you are ready.
Request a Free Survey →