This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Firewall Compliance with UK Government's Keeping Children Safe In Education

Hi Sophos / Community,

Please can someone confirm that Sophos Firewall Web Fitlering is compliant with the UK Government's Keeping Children Safe In Education standards? I'm unable to provide a direct link to the UK GOV website where this inforamtion is shown as this forum automatically flags it as spam, and the post removed by the automod.

You can readily find these standards by searching for the aforementioned, but in particualr I would like to know if the Sophos Firewall Web Filtering is capable of the following (excerpt):

Technical requirements to meet the standard  

Make sure your filtering provider is: 

a member of Internet Watch Foundation (IWF) 
signed up to Counter-Terrorism Internet Referral Unit list (CTIRU) 
blocking access to illegal content including child sexual abuse material (CSAM) 

If the filtering provision is procured with a broadband service, make sure it meets the needs of your school or college.

Your filtering system should be operational, up to date and applied to all: 

users, including guest accounts
school owned devices
devices using the school broadband connection

Your filtering system should:

filter all internet feeds, including any backup connections  
be age and ability appropriate for the users, and be suitable for educational settings  
handle multilingual web content, images, common misspellings and abbreviations  
identify technologies and techniques that allow users to get around the filtering such as VPNs and proxy services and block them
provide alerts when any web content has been blocked 

Mobile and app content is often presented in a different way to web browser content. If your users access content in this way, you should get confirmation from your provider as to whether they can provide filtering on mobile or app technologies. A technical monitoring system should be applied to devices using mobile or app content to reduce the risk of harm. 

It is important to be able to identify individuals who might be trying to access unsuitable or illegal material so they can be supported by appropriate staff, such as the senior leadership team or the designated safeguarding lead. 

Your filtering systems should allow you to identify: 

device name or ID, IP address, and where possible, the individual
the time and date of attempted access
the search term or content being blocked

Schools and colleges will need to conduct their own data protection impact assessment (DPIA) and review the privacy notices of third party providers. A DPIA template is available from the ICO. 

The DfE data protection toolkit includes guidance on privacy notices and DPIAs.

The UK Safer Internet Centre has guidance on establishing appropriate filtering.

Your senior leadership team may decide to enforce Safe Search, or a child friendly search engine or tools, to provide an additional level of protection for your users on top of the filtering service.

All staff need to be aware of reporting mechanisms for safeguarding and technical concerns. They should report if:  

they witness or suspect unsuitable material has been accessed 
they can access unsuitable material  
they are teaching topics which could create unusual activity on the filtering logs 
there is failure in the software or abuse of the system 
there are perceived unreasonable restrictions that affect teaching and learning or administrative tasks 
they notice abbreviations or misspellings that allow access to restricted material

If possible / more appropriate, can someone tell me where I may find an authority from Sophos who can verify the above?

Many Thanks

This thread was automatically locked due to age.
  • Hi Ptho,

    Thank you for reaching out to Sophos Community.

    I would recommend reaching out to your Account Manager for this kind of query.

    Erick Jan
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • Hi Erick, yes, that was the avenue I've gone down. Just haven't heard back yet, so thought I'd ask the community as a back-up. Thanks though!

  • Hi Ptho,

    Did you ever get a response? Need this information myself.

    Kind regards,


  • Not entirely. I asked our Sophos Account Manager, who investigated internally before coming back stating that Sophos Firewall meets the requirements of the Internet Watch Foundation (IWF) and Counter-Terrorism Internet Referral Unit list (CTIRU), and is certified to the UK Safer Internet Centre standards.

    They didn't outright state that the Firewall was compliant with the standards expected of KCSIE, however when properly configured I am satsified that it does adhere to the stipulations expected.

    That said, it would be nice for Sophos to be in a position to state they are compliant absolutely. It wasn't the answer I was expecting given the prominence the KCSIE guidance has in my sector.

  • As far as I can tell Sophos Firewall falls short on one important part of the new KCSIE as currently there is no way to setup email alerts when any web content has been blocked, which is something our headteachers are urgently requesting.  For comparison smoothwall provide this feature.  As all our 70 customers are in the Primary Education sector we will be forced to move back to Smoothwall if Sophos do not quickly add this vital feature, otherwise our educational internet service may not be compliant which could cause issues during OFSTED inspections.  And I am speaking from experience unfortunately.

  • Morning

    Can I suggest you have a chat to your Sophos account manager or the eductation team. Having spent time reading the KCSIE 2023 and linked guidance documents (filtering and monitoring standards and Prevent), the requirement is effective monitoring and to provide alerts when web content is being blocked, the platform fully complies with.

    Remember a lot of education settings the DSL is often a teacher with a full timetable and little PPT, so regular emails are more than enough to notify them of any potential intervention requirements as per the schools Safeguarding process (which is more of interest to the inspectors). 

    Anyway, please drop your account manager a line and im sure they would be happy to discuss further.

  • Hi Rog, as above, I did reach out to the AM and wasn't give a wholly satisfactory answer. In our situation we have a secondary product that meets the safeguarding needs that the Sophos product falls short on. Therefore, I wouldn't say it is entirely compliant in and of itself.