020 7770 6120 IT ServicesPricingSectorsResourcesAboutContact

Resources / Compliance

Cyber Essentials for law firms: a practical checklist

Cyber Essentials is the right starting point for most small firms. Here's what it actually requires, and what to fix first if you're starting from scratch.

Techsperience 18 January 2026 5 min read

Cyber Essentials is a UK government-backed certification covering five technical control areas. For law firms wondering where to start with cyber posture, it’s almost always the right first step. This article walks through what it actually requires, what trips firms up, and what to fix first if you’re starting from scratch.

The five control areas

01. Firewalls. Boundary firewalls between your network and the internet, configured to deny by default and only permit specific, justified traffic. Personal firewalls on each end-user device.

02. Secure configuration. Default configurations are insecure. Default admin passwords must be changed. Unused accounts must be disabled. Unnecessary software and services must be removed. Mobile devices must be encrypted and remotely wipeable.

03. User access control. Each user has their own account. Administrative privileges are limited to those who need them. Accounts are removed promptly when staff leave. Multi-factor authentication is enabled on cloud services. Strong password practices are enforced.

04. Malware protection. Anti-malware running on every device. Application allowlisting on servers and key endpoints. Auto-updates enabled. Email and web filtering in place.

05. Patch management. Operating systems and software receive security updates within 14 days of release. End-of-life software is removed or replaced. Internet-facing systems are patched first.

The full requirements are published by the IASME Consortium, the body that runs Cyber Essentials on behalf of the NCSC. They are revised annually, usually each April.

Where small law firms typically fall short

The certification process is a self-assessment, but the assessment is rigorous. The most common gaps in our experience:

  • Personal devices used for work — laptops at home, partners using personal phones for email — without enrolment in mobile device management.
  • Accounts of leavers still active — particularly for cloud services that were set up by a single user (Dropbox, DocuSign, e-discovery tools).
  • Default Microsoft 365 settings — particularly conditional access policies, MFA enforcement, and external sharing rules.
  • Unmanaged software — applications installed by individual fee-earners outside IT’s knowledge, particularly Chrome extensions and macOS App Store installs.
  • Patching gaps — especially on third-party software (Adobe Acrobat, Zoom, browser extensions) where automatic updates aren’t enabled.

None of these are dramatic. They are the consequences of an environment that has been allowed to accumulate.

What to fix first

If you’re a 20-to-50-person firm starting from scratch, the order of operations:

  1. Enable MFA on Microsoft 365 for everyone, no exceptions. Single biggest risk reducer. Should take a week including communication and rollout.
  2. Inventory every device that touches firm data. You cannot secure what you can’t list. Include personal devices used for email.
  3. Enrol every device in management — Microsoft Intune is the default; equivalents exist for Mac and mobile. This is what makes the rest of the controls enforceable.
  4. Audit user accounts. Every active account, every cloud service, every shared mailbox. Disable everything that doesn’t have a current owner.
  5. Standardise device builds. Encryption on. Auto-lock on. Auto-update on. Personal-firewall on. Browser locked down.
  6. Establish a patching cadence. Microsoft 365 and Windows Update first. Third-party software next.

Once the above is in place, the Cyber Essentials assessment is straightforward. Most firms with managed IT achieve it within four weeks of starting; firms starting from a longer-neglected position should plan for two to three months including remediation.

What Cyber Essentials doesn’t cover

Cyber Essentials covers technical controls. It does not cover:

  • Staff training and phishing awareness
  • Written information-security policies
  • Incident response procedures
  • Backup integrity and restore testing
  • Supplier and third-party risk management
  • Physical security
  • ISO 27001-grade governance

For SRA expectations, these matter at least as much as the technical baseline. Cyber Essentials is the foundation; the rest is what makes the firm actually defensible.

Cyber Essentials Plus

Cyber Essentials Plus is the audited version of the same standard. Where Cyber Essentials is a self-assessment, Cyber Essentials Plus involves an assessor running a controlled set of technical tests against your environment. It is meaningfully more credible — particularly to insurers and to clients running supplier-due-diligence processes.

For firms with material exposure (M&A practices, family law for high-net-worth clients, cross-border litigation), Plus is increasingly worth the additional cost. For most small commercial-practice firms, base-level Cyber Essentials remains a sensible annual exercise.

If you’d like to know where your firm currently stands against Cyber Essentials, the honest answer takes about 90 minutes to find out. We’re happy to do that as part of an opening conversation — but only after we’ve agreed to work together.

Frequently asked

Common questions on this topic.

What is Cyber Essentials? +

Cyber Essentials is a UK government-backed certification scheme covering five technical control areas: firewalls, secure configuration, user access control, malware protection, and patch management. It is awarded annually after a self-assessment review.

How much does Cyber Essentials cost? +

Cyber Essentials assessment fees range from £320 + VAT for very small firms to around £600 + VAT for firms over 50 employees. Most managed-IT contracts include the certification work as part of the standard fee — Techsperience does, at no additional charge.

How long does Cyber Essentials certification take? +

For a firm with reasonable existing controls, certification can be achieved in two to four weeks from start to finish. Firms with significant gaps may need eight to twelve weeks of remediation before submitting the assessment.

Is Cyber Essentials enough for a law firm? +

Cyber Essentials covers the technical baseline. It does not cover staff training, written policies, incident response procedures, or supplier management — all of which the SRA expects. Cyber Essentials is a foundation, not a finish line.

← All resources Want to talk to us? →
The next step

Let's get to know each other.

The IT firm you work with for the next decade isn't a vendor you buy. They're a partner you choose — and we'd like to be chosen on substance.

Book the 10-minute call → 020 7770 6120

A 10-minute call. If we're well-matched, we'll come to your office for a proper conversation.