Cyber Essentials for UK law firms with remote counsel and counsel chambers

UK law firms and barristers' chambers have a hybrid working model that does not look like any other sector. Partners work between offices, home, client sites, and court. Counsel chambers are organised around self-employed barristers with shared infrastructure. Remote and flexible working is the norm.

This creates three specific Cyber Essentials scoping questions that neither the NCSC requirements nor most consultancy guidance answers cleanly.

1. Are self-employed barristers' own laptops in scope?

2. Is a home router used by a solicitor working from home in scope?

3. Is the chambers' shared practice management system in scope if it is hosted by a third party?

The answers depend on structure, not just scheme rules. This guide walks through each.

In most London criminal barristers' chambers, barristers are self-employed individuals sharing space, staff, and some infrastructure. The chambers has its own staff (clerks, administrators, practice managers) with chambers-issued laptops. The barristers themselves often use their own.

The Cyber Essentials scope question is: are the barristers' laptops part of chambers scope?

The answer depends on what they access:

• If the barrister accesses chambers email, chambers practice management, or chambers file shares on their personal laptop: yes, in scope. The barrister's laptop is a device that accesses chambers data.
• If the barrister uses their personal laptop only for their own solo practice (not chambers systems): no, not in scope - but this is rare in practice because chambers email and chambers diary are typically used across all tenants.

The practical solution for most chambers is one of:

• Issue every barrister a chambers-managed laptop. Clean scope, but expensive and typically resisted by senior counsel.
• Require barristers to access chambers systems via a virtual desktop (Citrix, AWS WorkSpaces, Parallels RAS). The barrister's personal laptop becomes a thin client - out of scope if no data is stored locally.
• Require BYOD enrolment in an MDM. The personal laptop becomes managed for chambers purposes. See the BYOD guide.

For most chambers pursuing CE in 2026, the virtual desktop pattern is the cleanest because it avoids the MDM-on-personal-device friction with senior counsel.

Under Cyber Essentials v3.3, normal home routers used by remote workers are explicitly out of scope. The Danzell assessor guide, A2.5, says directly: "Details of routers and firewalls in the home environment must not be included." The boundary follows the device that touches firm data, not the home network.

For a law firm with a hybrid-working cohort, this means each solicitor's home router does NOT need to be inventoried, password-policed, or attested. What does need to be in place is the device-level posture:

• The firm-issued (or firm-managed BYOD) laptop has its software firewall enabled, default-deny on inbound, and configured so a standard user cannot disable it.
• The laptop's MDM posture (Intune, Jamf, Conditional Access) covers the device wherever it is - home, court, client site, hotel.
• Reliance on the software firewall for home and remote workers is noted in A2.5 of the assessment ("Home and remote workers rely on the device's software firewall as the boundary; no home routers in scope").

Where the home router IS in scope: if the firm supplies a corporate router as managed kit (i.e., issues the router itself, configures it, and manages updates), that router is firm equipment and is in scope. Most firms do not do this; for those that do, the router becomes a managed boundary device and is assessed accordingly.

A corporate VPN is fine to run for confidentiality reasons (and is often required by SRA outcomes-focused regulation), but it is no longer needed as the route by which the home router gets out of scope. The Danzell rule excludes home routers regardless of VPN posture.

Most UK law firms use a cloud-hosted practice management system. The common ones in the UK solicitor market are LexisNexis Enterprise, Clio, Leap, Actionstep, and DPS. For chambers, the common tools are MeridianLaw, LEX Chambers, and Clio for Chambers.

The scope question is: is the practice management system in CE scope?

The answer: the laptops and browsers you use to access it are in scope. The practice management infrastructure itself (the provider's servers) is not - that is the provider's problem, covered by their own certifications (ISO 27001 for LexisNexis, SOC 2 for Clio, etc.).

What the assessor checks:

• MFA on the practice management login. From v3.3 this is mandatory. All major UK practice management tools support MFA; turn it on.
• Role-based access control. Solicitors should not have admin privileges on the practice management system. The firm partner / IT administrator should.
• User provisioning and de-provisioning. When a fee-earner joins, they get appropriate access; when they leave, access is revoked same-day. Assessors often ask about leaver procedures.

Solicitors Regulation Authority. The SRA has not mandated Cyber Essentials, but it has issued repeated guidance that firms should have appropriate technical and organisational measures. CE is widely accepted as meeting this bar for small-to-mid-size firms. For larger firms and those handling high-value transactional work, CE Plus or ISO 27001 is more common.

Bar Standards Board. The BSB does not require Cyber Essentials. But solicitors (who instruct barristers), lay clients, and insurers increasingly do. Chambers in London's commercial and criminal sets are adopting CE and in some cases CE Plus as a response to solicitor-firm supplier requirements.

St James's Place Partner Practices. SJP mandated CE Plus across its 2,800+ Partner Practice network in May 2024. This is a notable enterprise-driven requirement in UK wealth management and law firms that service SJP partners. See the SJP guide.

1. Scope. Corporate estate only: laptops, phones, M365, practice management access. Home routers are out of scope under v3.3 (Danzell A2.5).

2. MFA. Required on M365, practice management, and any VPN.

3. Leaver process. Document it; assessors will ask.

4. Patch management. 14-day rule on Windows and Mac laptops.

5. Software firewall posture. Note in A2.5 that home and remote workers rely on the device's software firewall as the boundary.

6. Submit. Fig 6-hour turnaround covers it same day for compliant submissions.

1. Scope. Chambers laptops (staff) in scope. Barristers access chambers systems via virtual desktop; personal laptops out of scope.

2. MFA. Required on chambers email, practice management, diary.

3. Clerk-managed provisioning. When a barrister takes up chambers, access is provisioned; when they leave chambers, access is removed within 24 hours.

4. Virtual desktop. Document the architecture in the scope statement.

5. Shared physical infrastructure. Chambers Wi-Fi, printers, and network gear are in scope.

6. Submit. Fig supports chambers submissions; see the chambers guide.

Hybrid working and shared chambers infrastructure make the scoping question harder than standard corporate environments. The rules do not change - the scope has to be explicit, the technical controls have to be in place, and the sub-set exclusions have to be technical not policy-based.

For most law firms and chambers, the clean pattern is: virtual desktops for the awkward device categories, VPN gateway for remote workers, corporate MDM for everything else. That combination passes first time in 6 hours.

Get certified in 6 hours | Read about chambers | See solicitor-sector guidance