Understanding Lexcel and the Specialist Quality Mark (SQM): How Cyber Essentials Can Benefit Your Practice
PUBLISHED on
06
June
2025
Legal practices operating under legal aid contracts are subject to a number of regulatory and quality assurance requirements, including compliance with either the Lexcel Practice Management Standard (Lexcel) or the Specialist Quality Mark (SQM). These frameworks focus on a wide range of topics related to the delivery of high-quality legal services and effective practice management, including information security. With both standards recommending certification to the Cyber Essentials scheme to fulfil their information security management requirements, practices are provided with a clear framework to ensure compliance with this aspect of Lexcel or the SQM, safeguard client data and mitigate cyber risks.
Why are Lexcel and the SQM required for practices?
If you work within the legal sector, it is quite likely that you have encountered Lexcel or the SQM, as accreditation to one of these standards is mandatory for holding a legal aid contract with the Legal Aid Agency. Such a contract is needed if your practice wants to offer legal aid services.
What are Lexcel and the SQM?
Introduced by the Law Society of England and Wales, Lexcel is the legal practice quality mark for client care, compliance and practice management. It covers the following areas:
- Information management
- Risk management
- Client care
- People management
- Structure and strategy
- Financial management
- File and case management.
Meanwhile, the SQM is a quality assurance standard maintained by the Legal Aid Agency. The SQM contains the following sections:
- Access to Service
- Seamless Service
- Running the Organisation
- People Management
- Running the Service
- Meeting Clients’ Needs
- Commitment to Quality.
The Standard also provides guidance and defines requirements on information handling.
In their respective guidance documents, both Lexcel and the SQM recommend that practices obtain certification to Cyber Essentials to improve their information security management, and as a means of meeting the Standards’ requirements.
What is Cyber Essentials and why would your practice benefit from certifying?
The Cyber Essentials scheme was developed as a part of the UK Government’s National Cyber Security Strategy. It aims to protect your practice against a range of internet-based cyber attacks by providing a framework of technical controls across 5 basic control areas:
- Firewalls
- Secure configuration
- Security update management
- User access control
- Malware protection.
By achieving Cyber Essentials certification, your practice is effectively protecting itself against 80% of the most common cyber attacks. The Cyber Essentials Supply Chain Brochure even notes that Cyber Essentials-certified organisations are 92% less likely to make an insurance claim for a cyber incident than those without.
Achieving Cyber Essentials allows your practice to demonstrate its commitment to security and is often required as part of governmental contracts. 76% of CE users report that holding Cyber Essentials certification helps reduce the due diligence burden placed upon them, thereby saving time and resources.
If your practice would benefit from additional validation of its security measures, it can obtain certification to Cyber Essentials Plus, the scheme’s audited qualification. The requirements of Cyber Essentials and Cyber Essentials Plus are the same, so you will not need to implement any additional measures in order to achieve the additional certification. However, Cyber Essentials Plus involves a technical audit, conducted by a qualified external assessor, to verify your effective implementation of the Cyber Essentials controls, thereby providing an extra layer of assurance to prospective clients and other key stakeholders.
How do you get certified?
To achieve Cyber Essentials certification, you will need to complete a self-assessment questionnaire (SAQ). Certification bodies, such as URM, can provide you with access to a portal where will need to answer a number of questions about your IT infrastructure. A board member will also need to provide a signed declaration that all answers provided in the Cyber Essentials assessment are accurate.
Following submission, the SAQ will be reviewed by your chosen certification body, with most certification bodies aiming to complete the review and return your results within 3 working days. If successful, you will hold a valid certification, and will need to recertify on an annual basis. If you are unsuccessful, you will be provided with a further 2 working days to address any gaps (e.g., amending simple issues with policies or your network), following which you can resubmit your updated SAQ, free of charge.
If your practice decides to seek Cyber Essentials Plus certification, you will need to complete the technical audit within 3 months of certifying to Cyber Essentials. You can only achieve Cyber Essentials Plus if you have already certified to Cyber Essentials. The technical audit will need to be conducted by an accredited certification body, and involves internal and external vulnerability scans and tests of your malware protection on a sample of your practice’s devices. If no gaps are identified during the audit, certification will be awarded.
How URM can help
As an accredited certification body, URM has extensive experience both supporting and facilitating successful Cyber Essentials and Cyber Essentials Plus certifications, for organisations of all sizes and from a wide range of industries. We are also an Assured Service Provider under the National Cyber Security Centre (NCSC) Cyber Advisor scheme, enabling us to provide Cyber Essentials advice and guidance that you can be assured is aligned with the NCSC’s high standards. Our large team of Cyber Essentials experts can offer you a range of services to help ensure your Cyber Essentials and Cyber Essentials Plus assessments are as smooth and straightforward as possible, and that your application is successful.
Gap Analysis
Our Cyber Essentials gap analysis is aimed at organisations which are new to the scheme. Our Cyber Advisors will guide you through the assessment, clarifying requirements and evaluating your current controls. You'll receive a detailed report outlining any necessary actions to achieve compliance, helping you create a targeted action plan to address any gaps.
Application Review Service
If you are looking for reassurance that your application for Cyber Essentials is complete and ready to submit, URM’s expert team is able to support you. With our Cyber Essentials application review service, we can deliver a detailed review and an interpretation of your application; whether you're seeking clarification or adjusting to SAQ changes, our assessors ensure accuracy and compliance.
Our assessors will perform an offline review of your answers to identify any that are missing, incomplete, or that may have been misunderstood and, as such, do not fully comply with the scheme’s requirements. Following the offline review, the URM assessor will (via a remote session) walk you through each of the identified non-compliant responses to ensure you have interpreted the question correctly, and have provided an accurate and appropriate response that will meet the requirements of the Scheme.
How URM can help?
Cyber
Book FREE Consultation
URM is pleased to provide a FREE 30 minute consultation on penetration testing for any UK-based organisation.
Read more
Cyber
How secure is your organisation’s infrastructure and network?
If you are unsure, URM can perform CREST-accredited internal and external penetration testing against all IP addresses associated with your organisation, location, or service.
Read more
Cyber
Are your web applications secure?
Designed to assess the architecture, design and configuration of web applications, our web application pen tests use industry standard methodologies to identify vulnerabilities.
Read more
If you are looking for reassurance when applying for certification use our Cyber Essentials Application Review Service.
Find out more
related BLog posts
Cyber Security
Published on
24/1/2025
Cyber Essentials: Improving Your Cyber Security as an SMEURM’s blog discusses the significant cyber security risks faced by small & medium-sized enterprises (SMEs), and how Cyber Essentials certification can help.
Read more
Cyber Security
Published on
19/2/2024
3 Top Tips When Approaching CE CertificationURM’s blog provides 3 useful top tips to help your organisation prepare for successful Cyber Essentials or Cyber Essentials Plus certification assessment.
Read more
Cyber Security
Published on
6/6/2025
Understanding Lexcel and the Specialist Quality Mark (SQM): How Cyber Essentials Can Benefit Your PracticeURM’s blog explores how Cyber Essentials can help your legal practice enhance its security posture and achieve/maintain its SQM or Lexcel accreditation.
Read more
We have just received the CE+ certificate and notification that we have passed; we wanted to thank our assessor for all his help with this. It is greatly appreciated. I know that our team is very grateful as they were expecting the process to be difficult. Instead of being difficult, URM’s assessor made it a smooth process and we have all learned a lot
contact US
Let us help you
Let us help you in your compliance journey by completing the form and letting us know how we can best support you.