Schools spend significant sums on CCTV, access control and intruder alarms, then discover that a contractor walked through reception unchallenged, a door is propped open every afternoon, and nobody knows the code to the alarm panel because the person who set it up left two years ago. The technology was fine. The systems around it were not. Good school security is not about having the right equipment. It is about having equipment, policies and people working together consistently.
A useful way to think about school security is in three layers, each of which supports the others.
The physical layer is what most people think of when they think of security: fencing, gates, cameras, door readers, alarm panels. This layer deters opportunistic threats and detects genuine ones. It is necessary but not sufficient on its own. A camera that nobody monitors, a gate that is always left open, or an alarm that is never tested provides the appearance of security without the substance.
The procedural layer is the set of policies, processes and routines that determine how the physical layer is actually used. Who is authorised to grant access to visitors? What happens when an unrecognised person is seen on site? What is the procedure when the fire alarm sounds? How are new staff given access credentials, and how are leavers removed from the system? These procedures are what make technology work in practice.
The cultural layer is the hardest to build and the most important. A school where every member of staff feels responsible for site security is significantly harder to compromise than one where security is seen as somebody else's job. Culture is built through training, through leadership that takes security seriously, and through consistency in applying the procedures that have been set.
Most security failures in schools can be traced to a weakness in one of these three layers. Rarely is it the technology that fails. More often it is the procedure that was never followed, or the culture that allowed a breach to happen because "it would be awkward to challenge someone."
Keeping Children Safe in Education is the statutory guidance that governs safeguarding in English schools and colleges. Most school leaders are familiar with it in the context of staff recruitment and pupil welfare, but it has direct implications for physical security that are sometimes overlooked.
KCSiE requires schools to ensure that all adults on site are known and their presence is purposeful. It requires that appropriate measures are in place to prevent unauthorised access. It requires that schools have procedures for managing contractors and other visitors. These are not suggestions — they are statutory requirements, and Ofsted will look for evidence that they are being met.
What KCSiE does not do is specify the technology. It does not say that schools must have CCTV, or access control with specific features, or any particular type of alarm. The choice of technology is left to the school, informed by its own risk assessment and the guidance of its safeguarding team. This flexibility is sometimes read as permission to do the minimum, which it is not.
The practical test is whether the school can demonstrate, to an Ofsted inspector or to a concerned parent, that it knows who is on site at any given time and that its procedures prevent unauthorised adults from accessing areas where children are present. A paper sign-in book fails this test. A digital visitor management system with photo capture, DBS flag alerts and an evacuation report that lists every person on site does not.
Walk into most UK schools and you will find a reception desk, a sign-in book, and a member of staff who is simultaneously answering the phone, dealing with a pupil, and trying to issue a visitor badge. The sign-in process is an afterthought, and the information it captures is unreliable.
This matters for several reasons. A sign-in book is not searchable in real time — if you need to know who is on site right now, you cannot find out quickly. It does not flag visitors whose DBS status should be known. It does not produce an evacuation list. And it does not prevent a visitor from walking into the school unchallenged once they have signed in, because there is no access control beyond reception.
A well-designed visitor management system addresses all of these. Pre-registration means expected visitors are in the system before they arrive, with their ID verified and their DBS status flagged where relevant. Photo capture on arrival creates a visual record. A printed badge with the visitor's name, photo and permitted areas is both a practical identification tool and a visual signal to staff that this person is authorised to be here. An evacuation report generated from the system ensures no visitor is overlooked in a fire or emergency.
The investment is modest and the compliance benefit is significant. It also removes the pressure on reception staff to make security judgements under time pressure, which is where most mistakes happen.
Multi-Academy Trusts present a specific access control challenge that single-school systems cannot easily address. Staff move between schools, contractors work across multiple sites, and leadership teams need visibility of access events at every school in the trust from a single point.
A properly designed MAT access control system allows a new member of staff to be enrolled once, centrally, and granted access to the specific schools and areas they need across the entire trust. When they leave, their access is revoked everywhere with a single action. The audit trail of access events is available to trust leadership, not just individual school business managers.
This matters for safeguarding. A person whose employment at one school in a trust raises a concern should not retain access to the other schools in the trust while an investigation is underway. A centralised system makes that straightforward. A collection of standalone systems at individual schools makes it very difficult.
The same principle applies to contractors. A cleaning company or maintenance firm that works across a trust's schools needs managed, time-limited access at each site. A centralised system can grant and revoke that access consistently, log every entry, and produce a record of who was present at which school and when.
Schools are increasingly used as community assets outside school hours. Sports clubs, community groups, adult learning programmes and commercial lettings all generate revenue and support community relationships, but they also create security complexity that many schools have not properly addressed.
The core problem is that out-of-hours lettings require managed access to specific parts of the school — the sports hall, the kitchen, the car park — without providing access to the rest of the building. A key or a code that grants access to everything is not the answer. Nor is having a member of staff present for every letting, which is expensive and unsustainable.
Access control systems solve this cleanly. Time-restricted credentials can be issued to letting groups that open only the specific doors they need, only during the times their booking runs. The CCTV system should cover all areas in use during lettings, with remote access so that the caretaker or business manager can check in without being physically present. The intruder alarm should be configured so that the let zones can be occupied without triggering the alarm, while the rest of the building remains protected.
This is not a complex configuration, but it needs to be designed properly. A system retrofitted to allow lettings usually has gaps that create either security risks or practical problems for the letting groups. Getting it right at the specification stage is significantly easier and cheaper than fixing it later.
Security is not a project that gets completed and then stays done. Staff change, buildings change, the threat picture changes, and technology needs maintaining to remain effective. Schools that review their security arrangements annually are in a significantly better position than those that only look at it when something goes wrong.
An annual review should cover a small number of specific questions. Are the keyholder lists for the alarm and monitoring systems current? Has every new member of staff who needs access credentials been enrolled, and have all leavers been removed? Is the CCTV recording system working correctly, with adequate storage and correct retention periods? When was the intruder alarm last tested, and was it tested by an engineer or just by a member of staff pressing a button? Are there any areas of the site that have changed since the security systems were designed, such as new portable buildings, changed access routes or altered layouts?
This review does not require a specialist, though a specialist can add value to it. A business manager with a checklist can cover most of it in half a day. The discipline of doing it every year, and recording the findings, is more valuable than any individual finding it produces.
We carry out free site surveys for schools and Multi-Academy Trusts across the UK. We look at physical systems, procedures and compliance gaps, and give you a clear picture of where the priorities are.
Get in Touch →