What is Lexcel?
Created by the Law Society, Lexcel is their “legal practice quality mark for practice management and client care, the framework helps practices and in-house legal departments develop consistent operational efficiencies and client services, manage risk effectively, reduce costs and promote profitability. It is the most appropriate Standard for the legal profession as it was written by solicitors for solicitors.
It uses a management framework for legal practices to use. Supportive and flexible so each company can apply it according to their own requirements, it sets the Standard required in seven areas.
The Law Society lists these as:
- Structure and strategy
- Financial management
- Information management
- People management
- Risk management
- Client care
- File and case management
What are Cyber Essentials?
An information assurance scheme, Cyber Essentials is a joint initiative by the National Cyber Security Centre (NCSC) and the UK government. It serves as a framework for all businesses to assess the efficacy and efficiency of their data storage and security and to make any necessary improvements.
The assessment tests your IT systems and devices – this includes anything that connects to the internet. It looks at where you’re at risk from online attacks such as hacking or accessing secure sites by guessing passwords. It tests five baseline controls:
- Boundary firewalls and internet gateways
- Malware protection
- Patch management
- Secure configuration
- Access control
The Cyber Essentials Plus uses the same controls, but these are verified by an independent assessor. They simulate system hacks and phishing attacks, identifying gaps that need to be fixed, but in a safe way.
Why should you get certification?
With the introduction of Lexcel V6.1, the Law Society has incorporated the UK government-approved Cyber Essentials certification.
Practices must have an information management and security policy and should be accredited against Cyber Essentials. Although this is an optional requirement. In some cases, practices may be required to explain why they have chosen not to implement a requirement by their Lexcel assessor.
The legal profession is particularly vulnerable to cyber-attacks, due to the confidential nature of the materials they hold. Price Waterhouse Cooper’s Law Firms Survey back in 2017 found that most companies had experienced a security incident in the preceding 12 months, with phishing attacks being the most common.
As with other assessment tools, Lexcel is designed to help practices effectively manage risk and improve operational efficiencies. Achieving those reduces costs and increases profitability.
By getting accreditation for your legal practice, you’re demonstrating your commitment to security and looking after data. Achieving Lexcel and Cyber Essentials certification will make you look more professional, which in turn will help you win more business.
Potential customers will see that you’re protecting your clients’ sensitive information and will be reassured that they can trust you with theirs too. The Cyber Essentials and Lexcel certification are an immediate sign of your approach to security, and they’re nationally recognised.
More importantly, you have an obligation both to be compliant with security and data protection legislation and to show that you’re proactively working to maintain these. Lexcel accreditation is awarded for three years, with annual re-accreditation and monitoring visits to ensure continued compliance. It’s recommended that you’re reassessed annually, or if you change any systems or software. Your Cyber Essentials must be recertified annually.
How to get accreditation
You don’t need to have an external consultant for the majority of the Lexcel certification, and you can self-assess yourself for Cyber Essentials. However, on completion of the questionnaire, your answers will need to be verified by an independent third party. In order to secure Lexcel accreditation, your business will be audited.
Working with an assessor could save you time and money, so you may consider using one. The Law Society explains that you can select an assessment body from one of three which they have licenced to carry out the work on their behalf. These are:
At ATG, we work closely with Recognising Excellence and have a good working relationship with their assessors so understand what is required by them when it comes to information security.
The assessment body will explain how an assessor is chosen. The Law Society says that use of assessment bodies “ensures that the process is independent, objective and maintains rigorous quality control”. The assessor will support and guide you through the process, which normally takes around six months.
If you decide to go ahead with Cyber Essential Plus, you’ll need a consultant to carry out the testing for you. Should the testing find a number of gaps that you need to fix, you might look for an IT support partner to do this for you, and also to provide ongoing support to monitor your systems and prevent future attacks.
The cost of the basic level Cyber Essentials is £300 plus VAT, and you can get started with this straight away, by downloading the questionnaire. Prices vary for the Plus level certification, as it will depend on how much time it takes the assessor and how many devices you have.
If you’d like to learn more about both Cyber Essentials options, please get in touch.