The Lexcel Standard – the Law Society’s legal practice quality mark – is evolving. While Lexcel Edition 7 has not yet been formally released, there is growing consensus across the legal and cybersecurity sectors that the next iteration will introduce more stringent requirements around cybersecurity and information governance.
At Cyber Tzar, we are already seeing the groundwork being laid for this shift, particularly in how firms are being encouraged to approach risk and resilience in their operations.
The Current State: Lexcel v6.1 and Cyber Essentials
Under Lexcel England and Wales v6.1, Section 3.2 makes it clear that practices must have an information management and security policy in place. More notably, it also strongly recommends that firms gain Cyber Essentials certification – a UK government-backed scheme that outlines five fundamental technical controls to protect against the most common cyber threats:
-
Firewalls and boundary security
-
Secure configuration
-
Access control
-
Malware protection
-
Patch management
Though not yet mandatory under Lexcel, the emphasis placed on Cyber Essentials already signals a direction of travel. In practice, firms looking to maintain Lexcel accreditation are increasingly expected to demonstrate that they have implemented these baseline cybersecurity controls.
What to Expect in Lexcel Edition 7
While specific language for Lexcel Edition 7 hasn’t been published, the context is becoming clearer. With the UK government preparing the Cyber Security and Resilience Bill, and the Law Society placing greater emphasis on operational resilience, Edition 7 will likely require demonstrable cyber risk management capabilities – not just policies, but proof of implementation and review.
This could mean formal cybersecurity audits, staff awareness training as a requirement (not just best practice), and more thorough incident response planning. It’s also plausible that Cyber Essentials – or even Cyber Essentials Plus – could move from “recommended” to “required.”
What Legal Practices Should Do Now
To stay ahead of the curve and prepare for Lexcel Edition 7, we recommend the following:
1. Achieve Cyber Essentials Certification
Whether or not it’s yet mandatory, certification signals to clients and regulators that you take security seriously – and it covers exactly the kind of controls Lexcel expects.
2. Regularly Review Security Policies
Ensure your information security policy is current and reflects the latest best practice. Periodic reviews should include updates based on threat intelligence, new tooling, or regulatory change.
3. Upskill and Train Your Staff
Human error remains one of the leading causes of breaches. Investing in staff training is essential, especially around phishing, social engineering, and secure data handling.
4. Develop and Test an Incident Response Plan
Every firm should have a documented plan for responding to cyber incidents. This plan should be tested regularly and refined over time.
Final Thoughts
Lexcel Edition 7 is likely to bring cybersecurity into even sharper focus for legal practices. Those that begin preparing now will be best positioned to meet the new standard with confidence and demonstrate a mature approach to managing cyber risk.
At Cyber Tzar, we help regulated firms quantify and reduce cyber risk through continuous assessment, benchmarking, and incident readiness tooling – all aligned to compliance frameworks like Lexcel, NCSC’s Cyber Essentials, and ISO 27001.
Get in touch to find out how we can support your journey.