KCSIE · Schools

KCSIE-aligned school website audit: the 2026 checklist

By Jordan Gilbert

In brief

Keeping Children Safe in Education (KCSIE) is statutory guidance maintained by the Department for Education. Eight of its requirements carry explicit website implications — safeguarding contacts, the Prevent duty, behaviour and exclusions, SEN information, complaints, online safety, child protection, and the Prevent risk assessment. Ofsted inspectors check each one against the live site as part of pre-inspection desk research. This is the eight-point audit checklist, with the audit-pass marker, the concrete fix, and the markup pattern for each requirement.

Keeping Children Safe in Education — KCSIE — is the statutory safeguarding guidance every school, college, and registered childcare provider in England must follow. The Department for Education publishes it annually, and every Designated Safeguarding Lead reads the current edition at the start of the school year. It is not a recommendation. It is statutory guidance under section 175 of the Education Act 2002, and a school that does not follow it without good reason is challenged at the next Ofsted inspection.

Eight of KCSIE’s requirements name the school’s website as the place certain information must be published. The Department for Education’s separate guidance, What maintained schools must publish online (and the equivalent for academies), repeats and extends the list. Inspectors check each one before they arrive: the pre-inspection desk research is partly a website audit, and a school whose site is non-compliant begins the inspection in a defensive posture.

This is the eight-point website audit checklist for 2026. Each requirement is named, the audit-pass marker is named, and the concrete fix is named.

What KCSIE expects the website to do

The website is not the safeguarding policy. The website is the public projection of the safeguarding policy — the channel through which a parent, a child, a former pupil, a contracted-supplier safeguarding lead, or an inspector verifies that the school holds the named documents, the named contacts, and the named procedures. KCSIE expects each of those projections to be present, current, and findable within two clicks of the homepage.

The eight requirements below are drawn from the current KCSIE text and the Department for Education’s What schools must publish online guidance. The order follows the typical inspector walkthrough.

1. Safeguarding policy and named contacts

The KCSIE requirement

KCSIE Part 1 paragraph 13 and Part 2 paragraph 76 require schools to hold a written child protection policy, reviewed at least annually and made available publicly, either via the school website or by other means. The Designated Safeguarding Lead (DSL) must be named.

Audit-pass marker

A /safeguarding page (or /policies/safeguarding) linked from the global navigation, last reviewed within the last twelve months, with the DSL named — first name, surname, job title, school email — and a deputy DSL named alongside. The policy published as HTML (preferred) or a tagged-PDF download carrying a lastUpdated date.

The fix

<article>
  <h1>Safeguarding and child protection</h1>
  <p class="meta">Policy last reviewed: 1 September 2025 ·
     Next review: 1 September 2026</p>

  <section>
    <h2>Designated Safeguarding Lead</h2>
    <p><strong>Ms Jane Practitioner</strong>, Deputy Headteacher<br>
       <a href="mailto:dsl@example-school.org.uk">dsl@example-school.org.uk</a><br>
       Direct line: 0113 000 0000 (in school hours)</p>
  </section>

  <section>
    <h2>Deputy Designated Safeguarding Lead</h2>
    <p><strong>Mr Adam Practitioner</strong>, Head of Year 7<br>
       <a href="mailto:deputy-dsl@example-school.org.uk">deputy-dsl@example-school.org.uk</a></p>
  </section>

  <section>
    <h2>Out of hours and urgent concerns</h2>
    <p>Outside school hours, contact Local Authority Children's Social Care
    on 0113 000 0000. In an emergency call 999.</p>
  </section>
</article>

2. The Prevent duty

The KCSIE requirement

KCSIE Part 1 paragraphs 159–164 cover the Prevent duty — the duty under section 26 of the Counter-Terrorism and Security Act 2015. Schools must have due regard to the need to prevent people being drawn into terrorism. The Department for Education expects the school’s Prevent arrangements to be published and the Prevent lead named.

Audit-pass marker

A /prevent page (or a Prevent section within the safeguarding policy) naming the Prevent lead, summarising the school’s Prevent risk assessment in plain English, and linking the Prevent referral channels — the local Channel panel and Counter-Terrorism Police.

The fix

A dedicated section at /safeguarding/prevent with the Prevent lead’s name and contact details, a 200-word summary of the risk-assessment outcome (“our current assessment identifies these risks for our school community: … — our mitigations are …”), and links to the published Channel duty guidance and Prevent duty guidance for England and Wales.

3. Behaviour policy and exclusions

The KCSIE requirement

KCSIE Part 1 paragraph 142 and the separate Behaviour in schools guidance (Department for Education, 2024) require a written behaviour policy published on the website. Where the school uses suspensions or permanent exclusions, the policy must align with the Suspension and permanent exclusion guidance (Department for Education, 2024) and be referenced from the website.

Audit-pass marker

A /policies/behaviour page carrying the current behaviour policy, an /policies/exclusions page (or a section within behaviour) covering the school’s approach to suspensions and permanent exclusions, and a clear statement that parents have a right to make representations to the governing board against a permanent exclusion.

The fix

Two indexed pages with explicit lastUpdated dates and numbered headings matching the Department for Education template structure. A /parents/rights page (or section) summarising the appeal route — the element inspectors check during the desk-research pass.

4. SEN information report

The KCSIE requirement

KCSIE Part 5 paragraph 198 references special-educational-needs duties. Separately, the Special Educational Needs and Disability Regulations 2014, Schedule 1, require schools to publish a SEN information report annually on the website, covering fourteen specified items — the kinds of SEN provided for, identification and assessment, support arrangements, training, equipment, complaints, transition arrangements, and more.

Audit-pass marker

A /sen-information-report page (or /send/information-report) with the fourteen Schedule-1 items as numbered subheadings, dated within the last twelve months, the SENCO named and contactable.

The fix

<article>
  <h1>SEN information report 2025–2026</h1>
  <p class="meta">Published: 1 September 2025 ·
     Next review: 1 September 2026 ·
     SENCO: <a href="mailto:senco@example-school.org.uk">Ms B. Practitioner</a></p>

  <ol>
    <li id="kinds-of-sen"><h2>The kinds of SEN provided for</h2><p>...</p></li>
    <li id="identification"><h2>Identification and assessment</h2><p>...</p></li>
    <li id="consultation"><h2>Consultation with parents and children</h2><p>...</p></li>
    <!-- continues through all 14 schedule items -->
  </ol>
</article>

The SEN regulations name the fourteen items in fixed order, and the page should follow that order: the inspector or contracting authority sample-checks by counting headings.

5. Complaints procedure

The KCSIE requirement

KCSIE Part 1 paragraph 17 and the separate Best practice guidance for school complaints procedures 2020 require a published complaints procedure. For maintained schools, this is a statutory duty under section 29 of the Education Act 2002.

Audit-pass marker

A /complaints page linked from the global footer, naming the school’s stages — informal (raised with class teacher or form tutor), stage 1 (written to the Headteacher), stage 2 (to the Chair of Governors), escalation (to the ESFA for academies or the Local Authority for maintained schools) — with named contacts at each stage and indicative timescales: acknowledge within five school days, full response within twenty school days, escalation if unresolved within thirty days.

The fix

A complaints page opening with a 60-word plain-English summary above the fold, followed by the stage-by-stage procedure as a numbered list, ending with the escalation path. The footer link uses the exact word “Complaints”.

6. Online safety policy

The KCSIE requirement

KCSIE Part 2 paragraphs 134–141 cover online safety. Schools must hold an online-safety policy reflecting the school’s approach to filtering and monitoring — the UK Safer Internet Centre’s Appropriate filtering and monitoring expectations apply. The policy and the underlying filtering and monitoring approach must be published.

Audit-pass marker

A /policies/online-safety page summarising the school’s approach to filtering, monitoring, the acceptable-use policy (AUP), incident reporting, and parent communications. A linked AUP for pupils. A linked parent guide for online safety at home.

The fix

Three linked pages: /policies/online-safety (the umbrella policy), /policies/acceptable-use-pupils (the AUP), and /parents/online-safety (the parent guide). All three carry lastUpdated dates and an explicit reference to the school’s filtering supplier and monitoring approach. KCSIE 2024 added an explicit expectation that schools name the filtering supplier and review the approach annually — the website is the public projection of that review.

7. Child protection policy, referenced separately from safeguarding

The KCSIE requirement

KCSIE Part 2 paragraph 76, read with the separate Working Together to Safeguard Children 2023 guidance, treats child protection and safeguarding as overlapping but distinct policy areas. The Department for Education expects schools to publish a child protection policy as a discrete document, distinct from the broader safeguarding policy, even where the two are bound together in a single PDF in practice.

Audit-pass marker

A /policies/child-protection page or section reachable independently of the broader safeguarding page, last reviewed within the last twelve months, cross-referenced from the safeguarding page.

The fix

A discrete URL at /policies/child-protection carrying the child-protection content extracted from the broader safeguarding document. Cross-link /safeguarding to /policies/child-protection and the reverse. Both pages carry the same lastUpdated date, because they form a policy pair.

8. Prevent risk assessment

The KCSIE requirement

KCSIE Part 1 paragraph 161 requires schools to undertake a Prevent risk assessment. The Prevent duty guidance for England and Wales (Home Office, 2023, updated) extends the expectation that schools publish a summary, or otherwise evidence that the risk assessment exists. Inspectors ask to see the risk assessment during inspection; pre-inspection, the website is the surface they read.

Audit-pass marker

A /safeguarding/prevent-risk-assessment page (or a clearly named section under the Prevent page) carrying a plain-English summary of the school’s current risk-assessment outcome — the named risks, the named mitigations, the named review date. Not the full risk-assessment document, which lives in the school’s safeguarding folder, but a public summary.

The fix

A 300- to 500-word summary at /safeguarding/prevent-risk-assessment, structured as:

<article>
  <h1>Prevent risk assessment summary 2025–2026</h1>
  <p class="meta">Last reviewed: 1 September 2025 ·
     Next review: 1 September 2026 ·
     Prevent lead: <a href="mailto:prevent@example-school.org.uk">Mr C. Practitioner</a></p>

  <section>
    <h2>Identified risks for our school community</h2>
    <ul>
      <li>Online radicalisation routes via gaming and social media platforms</li>
      <li>Local extreme-right activity in [named area] requiring vigilance</li>
      <!-- specific to the school's actual assessment -->
    </ul>
  </section>

  <section>
    <h2>Mitigations</h2>
    <ol>
      <li>Filtering and monitoring via [named supplier]</li>
      <li>Annual staff training on Prevent indicators</li>
      <li>Curriculum coverage in PSHE and Citizenship</li>
      <li>Local-authority Prevent partnership engagement</li>
    </ol>
  </section>
</article>

The published summary does not need to expose sensitive operational detail. It needs to demonstrate that the risk assessment exists, has been reviewed in the last twelve months, and is governed.

What the Department for Education also expects on the website

The eight requirements above are the KCSIE-anchored ones. The separate Department for Education guidance, What maintained schools must publish online, adds: the school’s admissions arrangements, the equality information and objectives, the curriculum by subject and year, the pupil premium strategy statement, the school’s results and performance data, the values and ethos statement, the governors’ information and duties, the names of governors and their attendance, the school’s financial benchmarking, the careers programme (for secondary schools), and the trust governance information (for academies). Most school sites partially satisfy these and entirely miss the curriculum-by-subject-and-year requirement; the audit checks all of them as part of the same desk-research pass.

How the work is held

Custodiance runs this as a managed estate, in-jurisdiction, to your regulator’s standard. The structural work is rebuilding the policy-index architecture — the eight pages above plus the Department for Education publication-list pages — wiring the lastUpdated discipline, and standing up the named-contact disclosure so the DSL, deputy DSL, SENCO, and Prevent lead are findable within two clicks. The school does not delegate its policy content: that is a leadership exercise the headteacher and DSL lead on. Custodiance provides the templates, the markup, the information architecture, and the publication discipline, and holds them on the school’s behalf — so the annual-review dates do not slip between inspections.

This sits within the Growth tier (£1,495 per month) for an established school or academy that wants its estate run properly, or the Embedded engagement (from £6,000 per month, bespoke) where a fractional CTO owns the roadmap and the compliance posture outright. The confidentiality-and-residency work covered in the KCSIE confidentiality briefing runs in the same engagement — the layer this checklist sits on top of.

The Custodiance methodology — the published standard each estate is built to — is set out in the framework. The approach describes how an engagement runs across the school year.

Request a scoping call

Where a school’s website has not been audited against the current KCSIE text — or where the last Ofsted inspection flagged a policy-publication gap — request a scoping call. Each of the eight requirements above is reviewed against the live site and marked pass, partial, or fail, with the specific remediation for each.

Sources & methodology

Checklist drawn from the current published KCSIE guidance, the Department for Education What schools must publish online statutory list, the Prevent and behaviour guidance, and requirement-by-requirement review of UK maintained school and academy websites under pre-inspection desk-research conditions across 2025–2026.

Last updated 3 June 2026.

Custody, not marketing.

Have a senior partner read your estate against this.

A scoping call is a measured conversation about your obligations, your current setup, and what it would take to run it to your regulator's standard. No obligation, and no pressure.

Request a scoping call More briefings