Lexcel England & Wales v6.1 Standard for legal practices was released in June. In light of the EU General Data Protection Regulation (GDPR) having come into force shortly beforehand, this marks the first version of the standard to impose information management and security requirements on practices—specifically, §3.1 requires that all practices ‘…must have an information management and security policy and should be accredited against Cyber Essentials.’ It then goes on to list the controls the policy must incorporate, such as a register of information assets and personnel security training.
The use of ‘should’ makes the Cyber Essentials accreditation itself optional, but what is Cyber Essentials, and why should your practice aim to achieve it regardless?
Cyber Essentials is a government scheme launched in 2014 that ‘…helps you to guard against the most common cyber threats and demonstrate your commitment to cyber security.’ It comes in two levels: basic, which consists of a self-report questionnaire; and Plus, which follows up the questionnaire with an independent assessment to verify your answers. Achieving either grants you the right to display the appropriate badge on your company’s marketing, letting clients, customers and suppliers easily see your commitment to keeping their data safe.
By joining over 9,000 companies in achieving what is rapidly becoming a de facto industry standard you can earn more business, protect yourself against many common cyber threats and potentially even reduce your insurance costs. Plus, by implementing the controls detailed in §3.1 you are already fulfilling all, or almost all, of the Cyber Essentials criteria, making this final step a real no-brainer.
Whether you apply for Cyber Essentials accreditation or not, you will nonetheless have to create and implement a robust information management and security policy, or suite of policies. Not only that, you will have to ensure that such a policy or set of policies has been disseminated throughout your practice, that your employees have read and understood it, and that they have agreed to adhere to its rules.
Mitigate is a complete internal training solution from Mitigate. Along with providing GCHQ-certified e-learning training and assessment to your employees, Mitigate allows you to track levels of risk and policy acceptance across your practice, per-employee and per-department. Crucially for Lexcel compliance, it also provides you with a full suite of 12 template information security policies covering topics from bring your own device (BYOD) to social engineering attacks. All of these policies are guaranteed to be ISO 27001-, Cyber Essentials- and GDPR-compliant, helping you rapidly implement the policies and procedures that you need to satisfy the new Lexcel standards, as well as preparing you for any future amendments that increase the information security demands put upon you.
Mitigate are a Cyber Essentials Certification Body and offer either accreditation of the basic and Plus levels, or consultancy services. For more information about Cyber Essentials or Mitigate, please get in touch with us at [email protected] or call us at (+44) 0333 323 3981.