Cyber Essentials for London Criminal Barristers’ Chambers: What the BSB Does Not Require, But Everyone Is Asking For

The Bar Standards Board does not require Cyber Essentials. The BSB Handbook requires barristers to take appropriate steps to protect confidential information and to comply with data protection obligations — but it does not specify Cyber Essentials as the mechanism. The Bar Council’s own IT and cybersecurity guidance points to NCSC frameworks (the 10 Steps to Cyber Security, Exercise in a Box) and a jointly-developed cyber security questionnaire produced with the Law Society, but again does not formally mandate Cyber Essentials.

And yet. Every London criminal chambers I work with is either already certified or actively evaluating the process. The reason is not that the BSB shifted position. The reason is that solicitor firms instructing chambers — particularly CQS-accredited firms and firms operating under SRA Lexcel — are increasingly asking. Corporate and institutional lay clients are asking. Insurers at renewal are asking. And across 2024 and 2025, data breaches at UK legal sector firms rose by 39%, making the commercial and reputational cost of getting cybersecurity wrong rather higher than the cost of certification.

This guide covers the specifics of Cyber Essentials for London criminal chambers: why the unusual chambers-as-partnership structure creates scoping questions, how the typical London criminal practice technology stack maps to the CE controls, and why certification has become a practical necessity even though the BSB Handbook does not require it.

Why London criminal chambers, specifically

Criminal chambers are a distinct category within the UK legal market. The Bar’s self-employed model — barristers as sole practitioners, chambers as shared services rather than law firms — creates structural complications that commercial or civil chambers do not always face to the same extent. Criminal practice adds specific material: defendant data, sensitive victim testimony, sealed court documents, evidence bundles, DNA and forensic reports, medical records submitted in mitigation.

London criminal chambers are concentrated in the four Inns of Court (Middle Temple, Inner Temple, Lincoln’s Inn, Gray’s Inn) and surrounding locations — Chancery Lane, Fleet Street, the areas around the Royal Courts of Justice and the Old Bailey. The London criminal bar has specific operational patterns: significant use of the Old Bailey and Southwark Crown Court, heavy engagement with the CPS Digital Case System and the HMCTS Common Platform, reliance on CJSM for case communications with the CPS and MOJ, and the continued tradition of some briefs being delivered physically.

The chambers themselves range widely in size: from single-tenant sets to 60- or 80-strong sets with full administrative infrastructure, Heads of Chambers, senior clerks, and dedicated IT teams.

The chambers-as-partnership scoping question

The single most important scoping question for a criminal chambers is how to treat the chambers itself versus the individual barristers. Barristers are self-employed. Chambers is, technically, a shared services arrangement — premises, clerks, IT infrastructure, marketing, administration — that barristers pay into via chambers rent or a percentage of fees.

For Cyber Essentials purposes, the practical positions are:

Position 1: Chambers-level certification covering the shared services and the members. The chambers entity is certified. The scope covers the shared infrastructure (email domain, case management system, clerks’ systems, document storage) and the member barristers as users of that infrastructure. Each member’s chambers-issued or chambers-managed equipment is in scope.

Position 2: Chambers-level certification covering only the shared services and staff. Chambers administrative staff (clerks, practice managers, IT, finance, marketing) and shared infrastructure are in scope. Individual barristers’ practices — in particular, any personal devices they use as self-employed individuals — are not in scope. This requires the scope to be clearly drawn and the chambers-managed infrastructure to not flow organisational data onto out-of-scope personal devices.

Position 1 is cleaner and more defensible for marketing purposes (the chambers is certified; all members benefit from the statement). Position 2 is sometimes what chambers end up with in practice because bringing every self-employed barrister’s personal devices into the scope is operationally complex.

Most London criminal chambers end up somewhere between the two — they certify the chambers-level shared services and set expectations for members about device management, but formally the scope may be drawn tightly around what chambers controls rather than extending into every member’s kit. The certification then reads as "chambers-wide" even if the formal scope statement is more constrained.

Either way, the scope needs to be documented clearly and consistently with the technical posture. A chambers claiming scope coverage of all members but allowing members to store briefs on unencrypted, unmanaged personal devices is not actually covering what it claims.

The typical London criminal chambers technology stack

Most London criminal chambers run:

• A chambers email platform (Microsoft 365, Google Workspace, or occasionally NHSmail-style specialist tenancies)
• A practice management and case management system (LEX Chambers, Advocate Chambers, Athena, MeridianLaw, Salesforce-based bespoke setups)
• CJSM accounts for secure messaging with CPS, MOJ, and HMCTS
• Access to the CPS Digital Case System (DCS)
• Access to the HMCTS Common Platform (increasingly)
• Document management — often SharePoint, OneDrive, Dropbox Business, or chambers-specific document systems
• A website and digital marketing platforms
• Phones — company-issued for senior clerks, personal for most barristers
• Physical post and physical paper briefs (still significant in criminal practice)

The in-scope device estate depends heavily on how chambers is structured. Chambers-employed staff (clerks, administrators, IT, finance, marketing) almost always use chambers-issued laptops under some form of management. Barristers typically use a mix of personal laptops, personal phones, and — increasingly — chambers-provided laptops or MDM-enrolled personal devices.

Why solicitor firms instructing criminal chambers are asking about CE

The pressure on chambers to certify is coming primarily from the solicitor firms that instruct them. Several overlapping drivers:

SRA Lexcel. Lexcel is the Law Society’s practice management standard. Lexcel-accredited firms must evidence appropriate information security across their practice and supply chain. Chambers handling their clients’ confidential information are, operationally, part of that supply chain. A Lexcel-accredited firm asking its chambers about cyber posture is increasingly routine.

CQS (Conveyancing Quality Scheme). Less directly relevant for criminal chambers than civil, but many criminal barristers are instructed by mixed-practice firms that hold CQS. Those firms have cybersecurity expectations that cascade to their counsel.

Corporate lay clients. Private prosecution work, director liability, and corporate crime cases often bring chambers into direct contact with corporate clients. Those clients, particularly from financial services, pharmaceutical, or regulated sectors, routinely ask about counsel’s cybersecurity posture as part of broader supplier due diligence.

Insurance. Professional indemnity insurance for chambers and for individual barristers is increasingly being priced with reference to cybersecurity posture. CE certification is a signal.

High-profile case exposure. Criminal chambers handling cases with significant public interest, national security context, or sensitive complainant data face reputational and operational exposure from a breach that goes well beyond the BSB’s regulatory reach.

The net effect is that even though the BSB does not require Cyber Essentials, the commercial ecosystem that surrounds a London criminal chambers increasingly does.

How the five CE controls apply to a criminal chambers

Firewalls. Chambers premises in the Inns or surrounding locations typically have a chambers-owned broadband connection with a boundary firewall. The usual requirements apply: default credentials changed, admin interface not exposed to WAN, firmware current. For barristers working from home (which is most of them for paperwork and advice work), the laptop’s software firewall carries the load. Chambers should require managed software firewall configuration on any chambers-issued or MDM-enrolled device.

Secure configuration. This is the area most chambers need to tighten. Typical gaps: shared clerks’ room workstations with local admin rights, legacy software still on unsupported Windows versions, barrister laptops purchased independently with no management baseline, default passwords on chambers network devices. The remediation is the same as for any sector — MDM baseline, no local admin for day-to-day use, audit of network devices.

Security update management (14-day patching). Chambers laptops need patching within 14 days of critical updates. The usual issues: browsers like Chrome and Firefox, PDF readers (critical for criminal briefs), video conferencing tools, CJSM client software. A managed patching approach covers this; a "we expect users to keep their own devices up to date" approach does not.

User access control. Under v3.3, MFA on every chambers email account, every case management system user, every CJSM account, every document storage platform user. Shared clerks’ logins (the "chambers_admin" account everyone uses) need to be replaced with individual accounts. Leaver processes — when a clerk, administrator, or barrister leaves chambers — need to reach every in-scope system promptly.

Malware protection. Standard. Windows Defender or EDR on every Windows device, active and updating; Mac built-in protections on Apple devices. The criminal-chambers-specific consideration: CPS digital bundles and other criminal case documents are high-volume file attachments, often from unverified external sources. Real-time scanning on every inbound file matters in practical terms.

CJSM’s limitations — an important caveat

One specific insight worth understanding: CJSM (Criminal Justice Secure Mail) is a transport-level security mechanism, not a message-level encryption service. CJSM provides a secure network path between participating organisations (CPS, MOJ, HMCTS, police forces, authorised defence practitioners) but the messages themselves are not end-to-end encrypted or signed in the way that, say, S/MIME or PGP messages are.

The practical implication: an attacker who compromises a barrister’s chambers email account can, in most cases, read CJSM messages that landed in the inbox. CJSM does not defend against post-delivery compromise of the recipient account. That is exactly why MFA on CJSM-linked email accounts, and proper endpoint security on the devices that access those accounts, is more important in a criminal chambers than the CJSM branding alone might suggest. See the dedicated article on CJSM, Common Platform, and criminal chambers cybersecurity for a deeper look.

What chambers should do now

If you run a London criminal chambers and have not yet certified:

1. Scope decision. Agree internally whether certification covers shared services only or extends to member-managed devices. Document the position.

2. MFA sweep. Every chambers cloud platform — email, case management, CJSM, document storage, any secondary tool. MFA on every account.

3. Device baseline. Chambers-managed MDM for staff and ideally for barristers. Intune for M365-based sets, Jamf for Mac-heavy.

4. Leaver process. Integrate with chambers HR. Disable accounts within one working day of departure across every in-scope system.

5. Document the scope carefully. For chambers, the scope statement is especially important because the structure is unusual. Be clear about who is covered and who is not.

6. Certify to Cyber Essentials first (from £299.99 + VAT for micro chambers). Add Plus once chambers is ready for the technical audit (from £1,499 + VAT).

Bottom line

The BSB does not formally require Cyber Essentials for criminal barristers’ chambers. Solicitor firms, institutional lay clients, CPS counterparts, and insurers effectively do. The commercial and reputational pressure to certify is real and increasing, and the operational posture CE asks for — MFA, managed devices, proper leaver processes, documented scope — directly addresses the risks chambers actually face in criminal practice.

London criminal chambers that have already certified find the ongoing compliance posture manageable. Chambers that have not certified face the growing question of why from the people they work with and for. CE is now a credibility artefact in a sector that runs on credibility.

Check your readiness | View pricing | Talk to an assessor