Cyber Essentials for UK law firms with remote counsel and counsel chambers

Cyber Essentials for UK law firms with remote counsel and counsel chambers

UK law firms and barristers' chambers have a hybrid working model that does not look like any other sector. Partners work between offices, home, client sites, and court. Counsel chambers are organised around self-employed barristers with shared infrastructure. Remote and flexible working is the norm.

This creates three specific Cyber Essentials scoping questions that neither the NCSC requirements nor most consultancy guidance answers cleanly.

The three scoping questions

1. Are self-employed barristers' own laptops in scope?

2. Is a home router used by a solicitor working from home in scope?

3. Is the chambers' shared practice management system in scope if it is hosted by a third party?

The answers depend on structure, not just scheme rules. This guide walks through each.

Question 1: self-employed barristers' laptops

In most London criminal barristers' chambers, barristers are self-employed individuals sharing space, staff, and some infrastructure. The chambers has its own staff (clerks, administrators, practice managers) with chambers-issued laptops. The barristers themselves often use their own.

The Cyber Essentials scope question is: are the barristers' laptops part of chambers scope?

The answer depends on what they access:

• If the barrister accesses chambers email, chambers practice management, or chambers file shares on their personal laptop: yes, in scope. The barrister's laptop is a device that accesses chambers data.
• If the barrister uses their personal laptop only for their own solo practice (not chambers systems): no, not in scope - but this is rare in practice because chambers email and chambers diary are typically used across all tenants.

The practical solution for most chambers is one of:

• Issue every barrister a chambers-managed laptop. Clean scope, but expensive and typically resisted by senior counsel.
• Require barristers to access chambers systems via a virtual desktop (Citrix, AWS WorkSpaces, Parallels RAS). The barrister's personal laptop becomes a thin client - out of scope if no data is stored locally.
• Require BYOD enrolment in an MDM. The personal laptop becomes managed for chambers purposes. See the BYOD guide.

For most chambers pursuing CE in 2026, the virtual desktop pattern is the cleanest because it avoids the MDM-on-personal-device friction with senior counsel.

Question 2: the home router for a remote solicitor

Under Cyber Essentials v3.3, home routers used by remote workers are in scope as boundary devices. For a law firm with a hybrid-working cohort, this means every solicitor's home router is nominally part of the assessment.

Practical approaches:

• Issue a corporate VPN. Every remote worker connects through the firm's VPN gateway before accessing any firm resource. The home router becomes just a pipe; the firm's VPN gateway is the boundary device.
• Issue a managed router. Some firms provide home workers with a firm-configured router (typically running firm firmware or a VPN client) as part of their hybrid-working kit. That router is in scope and managed.
• Signed attestations. Each remote worker signs a form confirming they have changed the default admin password and updated the firmware. This works but is fragile - assessors sometimes ask for spot-checks.

The VPN gateway approach is the cleanest for solicitor firms because most firms already run a corporate VPN. Document it in the scope description.

Question 3: third-party practice management (LexisNexis, Clio, Leap, Actionstep, BigHand)

Most UK law firms use a cloud-hosted practice management system. The common ones in the UK solicitor market are LexisNexis Enterprise, Clio, Leap, Actionstep, and DPS. For chambers, the common tools are MeridianLaw, LEX Chambers, and Clio for Chambers.

The scope question is: is the practice management system in CE scope?

The answer: the laptops and browsers you use to access it are in scope. The practice management infrastructure itself (the provider's servers) is not - that is the provider's problem, covered by their own certifications (ISO 27001 for LexisNexis, SOC 2 for Clio, etc.).

What the assessor checks:

• MFA on the practice management login. From v3.3 this is mandatory. All major UK practice management tools support MFA; turn it on.
• Role-based access control. Solicitors should not have admin privileges on the practice management system. The firm partner / IT administrator should.
• User provisioning and de-provisioning. When a fee-earner joins, they get appropriate access; when they leave, access is revoked same-day. Assessors often ask about leaver procedures.

SRA and BSB expectations (2026)

Solicitors Regulation Authority. The SRA has not mandated Cyber Essentials, but it has issued repeated guidance that firms should have appropriate technical and organisational measures. CE is widely accepted as meeting this bar for small-to-mid-size firms. For larger firms and those handling high-value transactional work, CE Plus or ISO 27001 is more common.

Bar Standards Board. The BSB does not require Cyber Essentials. But solicitors (who instruct barristers), lay clients, and insurers increasingly do. Chambers in London's commercial and criminal sets are adopting CE and in some cases CE Plus as a response to solicitor-firm supplier requirements.

St James's Place Partner Practices. SJP mandated CE Plus across its 2,800+ Partner Practice network in May 2024. This is a notable enterprise-driven requirement in UK wealth management and law firms that service SJP partners. See the SJP guide.

Practical certification plan for a 25-person solicitor firm

1. Scope. Corporate estate only: laptops, phones, M365, practice management access, home routers via corporate VPN.

2. MFA. Required on M365, practice management, and VPN.

3. Leaver process. Document it; assessors will ask.

4. Patch management. 14-day rule on Windows and Mac laptops.

5. Home routers. VPN gateway approach.

6. Submit. Fig 6-hour turnaround covers it same day for compliant submissions.

Practical certification plan for a 40-member chambers

1. Scope. Chambers laptops (staff) in scope. Barristers access chambers systems via virtual desktop; personal laptops out of scope.

2. MFA. Required on chambers email, practice management, diary.

3. Clerk-managed provisioning. When a barrister takes up chambers, access is provisioned; when they leave chambers, access is removed within 24 hours.

4. Virtual desktop. Document the architecture in the scope statement.

5. Shared physical infrastructure. Chambers Wi-Fi, printers, and network gear are in scope.

6. Submit. Fig supports chambers submissions; see the chambers guide.

Bottom line

Hybrid working and shared chambers infrastructure make the scoping question harder than standard corporate environments. The rules do not change - the scope has to be explicit, the technical controls have to be in place, and the sub-set exclusions have to be technical not policy-based.

For most law firms and chambers, the clean pattern is: virtual desktops for the awkward device categories, VPN gateway for remote workers, corporate MDM for everything else. That combination passes first time in 6 hours.

Get certified in 6 hours | Read about chambers | See solicitor-sector guidance