School IT summer checklist: 5 things IT leads should be doing right now
The summer holidays are the most valuable window in the school IT calendar — and the right time to work through your school IT summer checklist. For most schools, they’re also the only time significant infrastructure work can actually happen — network upgrades, server migrations, Wi-Fi overhauls, and device rollouts all need physical access, scheduled downtime, and focused time from engineers that simply isn’t available during term. School network summer maintenance that would take weeks to schedule around lessons can be executed cleanly when the building is quiet.
The school IT holiday window is shorter than it looks. Alongside any larger projects, there’s a set of foundational tasks that are easy to deprioritise during term and genuinely important to get right before September. Use this school IT summer checklist to make sure nothing important gets missed before the new term starts.
1. Remove leavers and audit user accounts
Ex-staff with active credentials, students in the wrong groups, and generic or shared accounts that should have been closed are among the most common — and most exploitable — gaps in school IT security. With staff off site, now is the time to reconcile your Active Directory or Entra ID against your HR records, close accounts that shouldn’t still be open, and review admin privileges. It’s straightforward work that’s easy to deprioritise during term and genuinely important to get right.
2. Review safeguarding and content filtering settings
Check that your filtering policies reflect your current acceptable use policy and that any temporary exceptions added during the year have been removed. Review your filtering logs from the past term — they’ll show you whether anything is getting through that shouldn’t be. With Ofsted and the Online Safety Act both placing increasing weight on schools’ online safety provision, this is worth doing thoroughly while you have time to act on what you find.
3. Patch and update every device on your school network
Any device that’s been sitting unused since Easter needs updates before it touches your network again. That includes endpoints, but also firmware on switches, access points, and routers. Running updates across a full estate is disruptive during term — someone always needs the device you’re trying to patch. With the building quiet, you can work through the estate properly without managing around lessons or staff requirements.
4. Audit remote access and check MFA is in plac
Over time, schools accumulate remote access tools and configurations that made sense when they were set up but may no longer be necessary. Run through what’s currently enabled, close down anything that isn’t actively used, and confirm that MFA is in place for all staff on Microsoft 365 and any remote access systems. If MFA isn’t enabled universally yet, this is the window to change that — without the pressure of doing it around a live user base.
5. Start your school Cyber Essentials process this summer
If your school doesn’t yet hold Cyber Essentials certification, the summer is the right time to begin. The scheme covers five controls: firewalls, secure configuration, user access control, malware protection, and patch management. Much of the work you carry out over the summer directly supports your position on those controls — which means starting the process now, rather than in October, gives you the best chance of reaching certification without remediation work eating into term time. If your school already holds Cyber Essentials, check your renewal date and begin the process before the building fills up again.
Frequently asked questions - School IT summer checklist
What IT tasks should schools carry out over the summer holidays?
The summer holidays are the best time to carry out work that’s disruptive during term — patching devices, auditing user accounts, reviewing content filtering, and checking remote access and MFA. Schools also use the window for larger projects such as network refreshes, server migrations, and Wi-Fi upgrades that require scheduled downtime.
How long does Cyber Essentials take for a school?
For most schools, the Cyber Essentials self-assessment takes four to six weeks from start to certification, depending on how much remediation is needed. Starting in the summer gives you time to address any gaps before term begins, without the pressure of doing it around a live school environment.
Should schools check their content filtering settings every year?
The DfE Digital and Technology Standards require schools to review their filtering and monitoring provision at least once every academic year. Reviewing at the end of the summer term is good practice — temporary exceptions added during the year can create gaps, and policies should reflect any changes to your acceptable use policy, safeguarding requirements, or how your school uses technology.
What does MFA mean for schools and why does it matter?
MFA stands for multi-factor authentication. It requires users to verify their identity using a second method — such as an app notification or code — in addition to their password. For schools using Microsoft 365, enabling MFA for all staff accounts significantly reduces the risk of unauthorised access, particularly through phishing attacks, which are among the most common threats facing schools.
DMS works with schools across the UK on network health checks, Cyber Essentials, and planned infrastructure work during the summer. If you want a second pair of eyes on any of the above — or if the scope of work is bigger than your internal team can manage over the holidays — get in touch and we’ll talk through what’s involved.