The SRA and Lexcel both expect your firm to manage IT and cyber risk properly — but neither hands you a simple checklist. Here's what they actually require, in plain English, and the controls that satisfy them.
The most important thing to understand about the SRA Standards and Regulations is that they're outcomes-focused. There is no single rule that says "you must use this antivirus" or "you must encrypt that folder". Instead, the rules set principles and expectations, and it's for your firm to decide — and evidence — how you meet them. The relevant expectations cluster around a few themes:
The SRA's Risk Outlook has highlighted cyber crime and IT resilience as priority risks for the profession for several years running. The message is consistent: cyber is now a governance issue for the partners, not just a technical issue for "the IT person".
Lexcel is the Law Society's optional practice management quality standard, and many firms pursue it because clients, panels and insurers value it. Section 7 deals specifically with information management and security, and it's far more concrete than the SRA's high-level principles. It expects documented controls covering:
Section 7 maps closely onto the controls in ISO 27001, so a firm that runs its IT to a recognised security standard is usually most of the way to satisfying Lexcel already.
In practice, the same set of well-run controls covers the SRA's expectations and Lexcel Section 7 at the same time:
A recurring theme with both the SRA and Lexcel is that you must be able to demonstrate what you do. When your COLP, a Lexcel assessor or your PI insurer asks, you need an evidence pack ready — policies, MFA and patch reports, backup test logs, training records and your incident response plan. We maintain this on an ongoing basis for the firms we support, so compliance is a state you stay in rather than a scramble before an assessment.
We don't certify firms — Lexcel assessment is carried out by the Law Society's assessors, and Cyber Essentials by accredited bodies. What we do is build and run the underlying IT controls, align them to ISO 27001 and Lexcel Section 7, and keep the evidence current and defensible. We've supported law firms across Hertfordshire, Essex, Cambridgeshire and London since 1996. This guide is part of our wider work on IT, cybersecurity and AI for UK law firms; you may also find our guide on whether Copilot is safe for law firms useful.
The SRA Standards and Regulations don't list a prescriptive checklist of technical controls. Instead they set outcomes: you must protect client money and assets, keep client information confidential, run your business effectively with proper governance and risk management, and maintain competence. The SRA's Risk Outlook repeatedly highlights cyber and IT resilience as a priority. In practice that means you're expected to take reasonable, proportionate steps — and to be able to evidence them — rather than meet a single named standard.
Sources: SRA Risk resources
Lexcel is the Law Society's legal practice quality mark. Section 7 covers information management and security and expects documented controls around access, data protection, backup and recovery, business continuity, supplier management and information security policy. It maps closely onto recognised security frameworks like ISO 27001, so a firm with mature IT controls is usually well placed for Lexcel assessment or reaccreditation.
Sources: SRA Risk resources
Cyber Essentials (and the audited Cyber Essentials Plus) is an excellent, widely recognised baseline and strong evidence that you've addressed the most common attack routes. But it isn't a complete answer to the SRA's broader expectations around governance, confidentiality, business continuity and competence. We treat Cyber Essentials Plus as a foundation and build the wider controls and evidence around it.
Typically: an information security policy, an asset register, records of MFA enforcement, patching and antivirus/EDR reporting, backup configuration and successful restore-test logs, a business continuity and incident response plan, supplier/data-processor records, and evidence of staff security awareness training. We maintain this evidence pack on an ongoing basis so it's ready when your COLP, assessor or insurer asks, rather than being assembled in a panic.
Book a 30-minute call with James, Genmar's Managing Director. No deck, no hard sell — just honest advice for your firm.
More legal IT guides from the Genmar team.
Click-to-dial, screen pop and call logging against matters for firms running LEAP.
Read guideConnect Wildix to Clio Manage for click-to-dial, caller screen pop and matter-linked call records.
Read guideIntegrate Wildix with Actionstep so calls are logged against the right matter automatically.
Read guideWhat COLPs need to know about Copilot, client confidentiality and data governance.
Read guide