CJSM, Common Platform, and Criminal Chambers: The Digital Security Baseline for 2026

CJSM, Common Platform, and Criminal Chambers: The Digital Security Baseline for 2026

A criminal chambers in London, Manchester, or Birmingham in 2026 operates across three distinct digital layers. The first is the chambers’ own infrastructure — email, document management, case management, the clerks’ systems. The second is the government-provided digital tooling that connects chambers to the prosecuting authorities and the courts — CJSM, the CPS Digital Case System, the HMCTS Common Platform. The third is the barristers’ own personal digital estate, which varies massively across a set and which is often the weakest link in the chain from a security perspective.

Cyber Essentials is primarily concerned with the first layer. But the second layer — the CJSM and Common Platform tooling — interacts with the first in ways that matter, and in ways that are often misunderstood in chambers. This guide clarifies what CJSM and Common Platform actually provide, where their security guarantees end, and how a chambers’ CE posture needs to account for them.

What CJSM actually is (and is not)

CJSM — the Criminal Justice Secure Mail service — is an email service provided by the Ministry of Justice for communication between authorised criminal justice system participants: police forces, CPS, HMCTS, prisons, probation, defence solicitors and barristers, and selected other government and public-sector organisations.

What CJSM provides:

What CJSM does not provide:

This is not a criticism of CJSM. CJSM is doing what it was designed to do — provide a restricted transport channel for CJS participants. The mistake chambers sometimes make is treating CJSM as equivalent to cryptographic end-to-end encryption, when it is not.

The practical implication: the security of CJSM-delivered material depends almost entirely on the security of the recipient chambers’ infrastructure and endpoint security — which is exactly what Cyber Essentials covers.

The Common Platform context

Common Platform is HMCTS’s digital case system for criminal cases. It has been rolled out progressively across magistrates’ and Crown courts over the last several years. For chambers and barristers, Common Platform provides:

Access to Common Platform is gated by Common Platform Professional User accounts. Each user logs in individually. For chambers:

The CPS Digital Case System (DCS) is a separate but related system for prosecution case materials. Defence access to CPS DCS is granted on a case-by-case basis. The same access control principles apply — individual accounts, MFA, proper deprovisioning.

Where chambers CE posture intersects with these systems

Several specific points where chambers’ CE controls directly affect the security of CJSM, Common Platform, and DCS material.

Endpoint security on devices accessing CJSM inboxes. Because CJSM does not encrypt messages at rest, endpoint security on the device reading the messages is load-bearing. A barrister reading CJSM email on a personal laptop with no disk encryption, no software firewall, and no current anti-malware is exposing CJSM material in a way that CJSM itself cannot defend against.

MFA on the email account that receives CJSM messages. CJSM accounts typically route through chambers-hosted email (or a dedicated CJSM account with chambers delivery). Either way, the email account that receives the CJSM message needs MFA. An attacker with the email password can read the CJSM messages on delivery, regardless of how secure the CJSM transport was.

Device management on devices accessing Common Platform. Common Platform access from an unmanaged personal device is a gap. The device needs to be chambers-managed or personally-managed under a documented baseline. The credentials need MFA.

Document retention after CJSM download. When a barrister downloads an attachment from a CJSM message, that document now lives on the barrister’s device. Its security is the device’s security. CE controls on that device — encryption, malware protection, patching — are what protect the document going forward.

Case management systems and CJSM integration

Most criminal chambers use a case management system: LEX Chambers, Advocate Chambers, Athena, MeridianLaw, or bespoke setups. Many of these integrate with CJSM — ingesting CJSM messages into the case management system, linking documents to matter records, and allowing clerks and barristers to work within a unified interface rather than across separate email and case management screens.

For Cyber Essentials purposes, the case management system itself is in scope. It holds organisational data (case matters, client information, document indices). Its CE requirements:

For cloud-hosted case management systems, the vendor handles the infrastructure. For on-premise or self-hosted systems, the chambers handles the infrastructure, and the underlying servers, databases, and network components are all in CE scope.

The BYOD question for chambers — specifically for barristers

Self-employed barristers often work across multiple devices: a chambers-issued laptop for chambers work, a personal laptop for wider legal practice, a personal iPad for brief-reading, a personal phone for CJSM email, a home desktop for paperwork. From a chambers CE perspective, this is a scoping question.

The options:

Option A: Chambers certifies only chambers-managed devices, and the scope statement is explicit that member-barristers’ personal devices are out of scope for chambers CE. This is honest and defensible. It has the side-effect that if a solicitor firm asks "is counsel’s home laptop in your CE scope?", the answer is no. Some firms are comfortable with this; some are not.

Option B: Chambers requires MDM enrolment of any personal device used to access chambers systems or CJSM-linked email. This is more comprehensive but requires member buy-in. Increasingly common for newer chambers and for chambers with larger corporate lay client practices.

Option C: Chambers provides issued devices for members and requires their exclusive use for chambers-related work. The cleanest solution from a CE perspective, but operationally expensive for chambers.

Most London criminal chambers operate at some point along a continuum between A and B. The key is consistency between the scope declared and the reality of how work is done.

Security of paper briefs and transfer between digital and physical

Criminal practice still involves significant paper. Briefs are sometimes delivered in hard copy. CPS bundles are often printed for court use. Judges still refer to paper bundles at the Old Bailey and Crown Courts. Cyber Essentials does not directly cover paper — it is a cybersecurity scheme, not an information security management system — but the transition between digital and physical forms a boundary where material leaves the controlled environment.

For CE purposes, the relevant controls are around the digital side: the chambers printer, the document management system’s print history, and the devices that generate the printed output. All of those are in scope.

The chambers that handle this well typically have:

These are more information governance than CE, but they arise during Plus technical audits when the assessor looks at the printer network configuration and sees a multi-function device with a WAN-accessible admin page and default credentials.

The annual CE renewal for a criminal chambers

Chambers that have certified typically find the annual renewal manageable, assuming the underlying posture has remained consistent. The most common annual-review changes:

Each of these needs to be reflected in the updated CE submission. Chambers that run a living document of their CE scope and controls, updated quarterly rather than annually, find renewal much easier than chambers that treat it as a once-a-year scramble.

Bottom line

CJSM and the HMCTS Common Platform are important components of the criminal chambers digital environment, but they are not substitutes for the baseline cybersecurity controls that Cyber Essentials asks for. CJSM’s transport security does not encrypt messages at rest. Common Platform’s access controls do not manage the device a barrister uses to log in. Both systems rely on the recipient chambers’ CE-level posture to actually protect the material.

For a London criminal chambers in 2026, the realistic posture is Cyber Essentials (or Plus) as the baseline, with CJSM and Common Platform used on top of that baseline rather than as a replacement for it. The chambers that understand this distinction tend to have materially better security outcomes — and materially cleaner conversations with instructing solicitors, lay clients, and insurers who ask about it.

Check your readiness | View pricing | Talk to an assessor