Home Articles & Guides Martyn's Law for Schools
⚠ Martyn's Law · April 2027

Martyn's Law for Schools:
A Practical Implementation Guide

May 2026
Fyrfly Systems
12 min read

April 2027 is closer than it looks. And for most school leaders, the Terrorism (Protection of Premises) Act 2025 — known as Martyn's Law — remains something that lives on a governor agenda rather than in an operational plan.

That needs to change. Not because terrorism is an imminent threat to your school. But because the way schools respond in a crisis — any crisis — depends entirely on the preparation that happened before it. Martyn's Law is the legislative push that many schools needed to get that preparation right.

This guide is for school leaders, bursars, estates teams, designated safeguarding leads, MAT directors, and governors who want a clear, honest account of what the law requires, what good compliance looks like, and how to make it stick operationally rather than just on paper.

What Martyn's Law Is — and Isn't

Martyn's Law is named after Martyn Hett, who was killed in the Manchester Arena attack in May 2017. His mother, Figen Murray, campaigned for seven years to make protective security a legal requirement for venues that admit the public. The Act received Royal Assent in April 2025.

The law requires certain premises and events to have protective procedures in place — not surveillance systems, not specialist security staff, and not military-grade protocols. Procedures. Plans. Trained people. That's the core ask.

It is not about turning schools into fortresses. It is about ensuring that if something serious happens, staff know what to do, and that decision was made calmly in advance rather than under pressure in the moment.

What "Publicly Accessible Premises" Means for Schools

Schools are explicitly in scope. Any premises where members of the public are permitted to enter — including parents, visitors, contractors, and community users — qualifies as a publicly accessible location under the Act.

This includes primary schools, secondary schools, academies, independent schools, sixth form colleges, special schools, and any school that holds events, lets its facilities, or admits visitors during the school day.

The relevant question is not "do we admit the public?" but "could a member of the public enter our premises?" For most schools, the answer is yes.

Standard Tier vs Enhanced Tier

The law creates two tiers of obligation based on capacity.

Standard Tier applies to premises with a capacity of 100 to 799 people. The majority of schools fall here. Standard Tier requires documented procedures, staff awareness, and a named Responsible Person. It does not require SIA registration, a formal security plan, or notification to any regulator.

Enhanced Tier applies to premises with a capacity of 800 or more. This includes larger secondary schools, sixth form colleges, and schools with significant event spaces. Enhanced Tier requires all Standard Tier obligations plus a formal security plan, a qualified Security Manager, and SIA notification.

For most primary schools and smaller secondaries, Standard Tier is the relevant framework. For larger schools and MATs with substantial sites, it is worth calculating capacity carefully — and erring on the side of Enhanced Tier if there is genuine ambiguity.

Not sure which tier you fall under? Our free Martyn's Law Readiness Assessment determines your tier and obligations in 5 minutes. Take the free assessment →

What Schools Actually Need to Do

The obligations for Standard Tier schools break down into five practical areas. None of them require specialist security expertise. All of them require clear thinking, honest assessment, and consistent follow-through.

1. Appoint a Responsible Person

Someone in senior leadership must own this. Not nominally — operationally. The Responsible Person is accountable for ensuring procedures exist, staff are aware of them, and they are reviewed regularly.

In most schools this will be the headteacher or a deputy. In a MAT, it may be the Chief Operating Officer or a delegated site leader. What matters is that the role is named, documented, and understood by the people who need to act on it.

2. Conduct a Security Risk Assessment

This does not need to be complex. A proportionate security risk assessment for a Standard Tier school covers:

The ProtectUK website provides a free five-stage risk management framework developed by NaCTSO and the Home Office. It is the right starting point, and it is designed to be accessible for non-security professionals.

3. Write Procedures for a Terrorist Attack Scenario

This is the element most schools are missing entirely.

Your fire evacuation plan is not sufficient. Fire evacuation assumes the building is the threat and moves people outside. A terrorist or hostile intruder scenario may mean the opposite — that moving people outside increases risk, and that shelter-in-place (invacuation) is the safer response.

Your procedures need to cover at minimum:

Each procedure should be specific to your site. Generic templates are a starting point, not a destination.

Generate your school's lockdown procedure Based on the official DfE lockdown template. Free, instant, print-ready PDF. Generate your procedure →

4. Ensure Staff Awareness

The law requires that staff whose roles are relevant to a terrorist attack scenario are made aware of the procedures. This is not a training course requirement — it is an awareness requirement. But awareness without any practical grounding is largely meaningless.

At minimum, relevant staff should:

"Relevant staff" means all teaching staff, support staff, site and facilities teams, reception, and anyone who manages visitors or events. It does not necessarily include pupils, though age-appropriate awareness is good practice.

5. Document Everything Proportionately

The law does not prescribe a specific format for documentation. What matters is that decisions are recorded, procedures are written down, and the Responsible Person can demonstrate that compliance has been considered and acted on.

A school with a clear, simple, site-specific set of procedures — even three pages — is in a better position than one with a 40-page document that nobody has read.

The DfE guidance on protective security for education settings provides a useful framework and cross-references Martyn's Law obligations.

Generate your CCTV policy documentation Acceptable Use Policy, UK GDPR Privacy Notice and DPIA Summary — ready for governor approval. Generate your policy →

Where Schools Often Get It Wrong

Compliance errors in this area are rarely deliberate. They are almost always the result of time pressure, misunderstanding, or a well-intentioned but ultimately ineffective approach.

Buying Technology Before Reviewing Procedures

CCTV systems, access control, and electronic locks are valuable tools. But a school that installs a £40,000 CCTV system without first reviewing its lockdown procedure has got the sequence backwards.

Technology supports procedures. Procedures do not emerge from technology. If your lockdown procedure says "lock all external doors remotely from the office," that is a reasonable starting point — then you specify the system that makes it possible. Not the other way around.

Treating Compliance as a One-Off Project

Martyn's Law compliance is not a project with an end date. It is an ongoing operational discipline. A school that achieves compliance in September 2026 and does nothing further will find its procedures out of date by September 2027 — after a change of headteacher, a site extension, or a new lettings arrangement.

Build the review into your annual cycle, not your project plan.

Overcomplicating the Plans

Longer procedures are not better procedures. A lockdown plan that runs to twenty pages of flowcharts and decision trees is one that staff will struggle to recall under pressure.

The best plans are clear, direct, and rehearsed. "On hearing the lockdown signal, secure your room, move away from windows, take a register, and wait for the all-clear from the headteacher by name." That is the kind of instruction that works.

Failing to Train Non-Teaching Staff

Site managers, caretakers, cleaners, catering staff, and minibus drivers may be the first people to encounter a threat — or the last people in contact with pupils during an evacuation. Non-teaching staff are routinely overlooked in security planning. They should not be.

Ignoring Contractors, Events, and Lettings

Your obligations do not end when the school day does. If your hall is let to a community group on Tuesday evenings, the Responsible Person's obligations extend to those events. If contractors are working on site during the holidays, they need to be briefed on emergency procedures.

Assuming Safeguarding Equals Preparedness

KCSiE compliance, strong DBS checking, and good safeguarding culture are essential. They are also not the same as terrorism preparedness. A school with excellent safeguarding processes may have no written lockdown procedure at all. These are separate disciplines with separate requirements.

How to Keep Compliance Live and Current

This is where most schools will struggle most — not with achieving initial compliance, but with maintaining it.

Build the Annual Review Into Governance

Make Martyn's Law compliance a standing item on the annual governor review calendar. The Responsible Person reports to governors once a year on: whether procedures are current, whether staff training is up to date, whether the risk assessment reflects any site changes, and whether any incidents or near-misses have occurred.

That single annual conversation, properly minuted, is evidence of governance oversight. It is also the prompt that ensures the work gets done.

Review After Any Significant Change

Trigger a review after:

Run Tabletop Exercises

A tabletop exercise is a facilitated discussion — typically 60–90 minutes — in which senior staff talk through how they would respond to a simulated scenario. No disruption to the school day. No alarm. Just a structured conversation that tests the plan.

Tabletops are far more valuable than most schools realise. They surface assumptions that turn out to be wrong, identify communication gaps, and build the muscle memory that makes real response more effective. Run one annually. Vary the scenario. Include a governor or two if possible.

Embed It Culturally, Not Just Procedurally

The schools that handle crises best are not those with the longest policy documents. They are those where staff have a shared mental model of what to do — because it has been talked about, rehearsed, and normalised. The goal is not a compliant document. It is a prepared school community.

Practical Implementation Roadmap

First 30 days
  • Appoint and formally document the Responsible Person
  • Complete the ProtectUK five-stage risk assessment
  • Confirm Standard Tier or Enhanced Tier status
  • Audit existing procedures — what exists, what is missing
  • Ensure all relevant staff complete ACT Awareness e-learning
Days 31–60
  • Write or update evacuation and invacuation procedures
  • Define and test your lockdown signal
  • Brief all relevant staff on procedures
  • Identify site-specific considerations (SEN, shared sites, lettings)
  • Review visitor management processes
Days 61–90
  • Run a tabletop exercise with senior leadership
  • Conduct a physical walkthrough of all procedures
  • Review and update all emergency contact lists
  • Present compliance status to governors
Annual cycle
  • Review all procedures against any site or organisational changes
  • Refresher briefing for all staff
  • Tabletop exercise with varied scenario
  • Governor report and formal sign-off

Martyn's Law Compliance Checklist

Governance

Risk Assessment

Procedures

Staff Awareness

Testing

Frequently Asked Questions

Yes. The Act applies to any premises that admit members of the public, regardless of whether the school is state-maintained, an academy, or independent. Independent schools with a capacity of 100 or more are in scope for Standard Tier obligations.
No. Standard Tier compliance does not require the appointment of a Security Manager or any specialist security personnel. It requires a named Responsible Person in senior leadership, documented procedures, and staff awareness. Enhanced Tier schools (800+ capacity) do require a qualified Security Manager.
A primary school with 200 pupils needs simple, clear procedures — not an elaborate security infrastructure. A one-page evacuation plan, a one-page lockdown plan, a briefed staff team, and an annual review is proportionate and compliant. The law is explicit that obligations should be proportionate to the nature and size of the venue.
The law does not specify a minimum frequency for drills. The DfE guidance recommends practising lockdown procedures at least once per academic year. Tabletop exercises are an effective complement to physical drills and are significantly less disruptive to the school day.
Yes. Open days, parents' evenings, school productions, sports days, and community lettings all fall within scope if members of the public are admitted. The Responsible Person's obligations extend to these events, and procedures should account for the different staffing, layout, and visitor profile that events create.
Schools should retain: the current risk assessment, all written procedures, records of staff training, minutes of tabletop exercises, governor sign-off records, and a log of any reviews or updates. There is no prescribed format, but documentation should be sufficient to demonstrate that the Responsible Person has considered and acted on their obligations.
Once enforcement begins in April 2027, the SIA will have powers to inspect compliance, issue improvement notices, and impose financial penalties. Outdated procedures that have never been reviewed or tested are both a compliance risk and an operational risk to the people in the building.
Shared sites require a coordinated approach. Each organisation with a Responsible Person has their own obligations, but procedures need to be compatible — particularly around shared entrances, car parks, and communication channels. Document who is responsible for what and ensure both organisations have sight of each other's plans.

Preparedness Is Leadership

Every school that has worked through this process honestly has come out saying the same thing: it was less complicated than we expected, and we feel better for having done it. Martyn's Law is the legislative prompt. The operational discipline is yours to build.

Take the Free Assessment → Generate Lockdown Procedure
⚠ Free Compliance Tools

Ready to act on what you've read?

Use our free tools to assess your readiness, generate your lockdown procedure and produce your compliance documentation — all in one place, no registration required.

Martyn's Law Readiness Assessment

Determine your tier, identify gaps in your current provision, and receive a prioritised action plan and downloadable readiness report — in 5 minutes.

Take the free assessment →

School Lockdown Procedure Generator

Generate a complete, DfE-compliant lockdown procedure specific to your school — signals, key personnel, safe rooms, communications and emergency contacts.

Generate your procedure →