London SJP Partner Practices: Navigating the Cyber Essentials Plus Mandate

St. James’s Place announced on 23 May 2024 that every business in its 2,800-strong Partner Practice network must hold Cyber Essentials Plus. IASME, which administers the scheme on behalf of the NCSC, called it the first network of its kind to extend mandatory cybersecurity oversight at this scale. Within six months, over 1,600 Partner Practices were certified, and SJP has publicly reported an approximately 80% reduction in security incidents across the Partnership since 2023.

The mandate sits on top of every London-based Partner Practice the same way it sits on a practice in Manchester or Bristol: Cyber Essentials Plus is non-negotiable, Cyber Essentials on its own is not sufficient, and letting certification lapse is treated as a compliance breach. But London Partner Practices face a few operational realities worth addressing specifically — the concentration of small practices in the City, Mayfair, and Canary Wharf; the prevalence of serviced office and co-working arrangements; and the client-facing expectations of a market where institutional and high-net-worth individual clients increasingly ask about their adviser’s cybersecurity posture.

This guide is for Partner Practice principals and practice managers in London who need to get, and stay, CE Plus certified under the SJP requirement.

The London Partner Practice concentration

Although SJP does not publish a per-city Partner Practice count, a meaningful proportion of the 2,800 Practices are London-based or London-serving. The London Partner Practice population spans:

• One-to-three person practices in serviced offices (Regus, WeWork, Fora, The Argyll Club)
• Mid-sized practices of 5-15 people in dedicated offices across the City, Mayfair, and West End
• Larger multi-adviser practices in the City and Canary Wharf
• Regional practices with a London branch serving City-based clients

The CE Plus requirement applies identically to each. The practical remediation work varies most based on how the practice runs its IT — how much is cloud-managed, how much is under MDM control, how many personal devices are in play, and how identity is federated across the SaaS stack a Partner Practice typically uses.

What SJP’s mandate actually says

Matthew Smith, SJP’s Divisional Director of Cyber Security, has described the programme as requiring executive support and hearts-and-minds engagement with Partners rather than being treated as pure compliance. In practice, the operational requirements for a Partner Practice are:

• Valid Cyber Essentials Plus certificate, issued by any IASME-licensed certification body
• Continuous certification (certificates are valid for 12 months; lapse is a breach)
• Certificate provided to SJP through their compliance reporting channel
• Assessment against the current Cyber Essentials standard — which is v3.3 from 28 April 2026 onwards, with its mandatory MFA requirements

What SJP does not specify is which certification body you use. Partner Practices are free to choose any IASME-licensed body. What they need to demonstrate is that the certificate is current, valid, and issued against the current version of the scheme.

Why Plus and not just Cyber Essentials

SJP chose Plus over self-assessed Cyber Essentials because Plus includes an independent technical audit. The distinction matters: Cyber Essentials is the self-assessed questionnaire route, while Plus adds a hands-on external assessment that verifies the controls are actually in place on your systems.

For a Partner Practice handling HNWI portfolios, pension transfers, and the kind of sensitive financial documentation that criminal groups target, the Plus audit is what closes the "is it actually implemented" question. A self-assessed CE certificate says you claimed the controls were in place. The Plus audit says an external assessor confirmed they are.

London-specific realities

Serviced offices and shared wifi. A London Partner Practice in a Regus or WeWork uses the building’s wifi. From a CE Plus perspective, the building’s wifi is not your firewall. Your device-level controls carry the full weight of the boundary firewall requirement. Software firewall enabled and locked on every laptop, full-disk encryption on every device, and no reliance on the building’s network being secure.

Shared office receptionists and printing. Many serviced-office operators provide shared printing, document scanning, and occasionally shared desk booking systems. None of these should be used for client data. The CE Plus audit will check that printed output containing client data is either retrieved promptly or produced on a practice-owned device (not a shared print pool).

Client meetings at the Inns of Court, private clubs, or hotels. Where Partners meet clients in London locations outside their own office, the laptop and phone the Partner brings are the operational boundary. CE Plus requirements travel with the device. This is why software firewall, disk encryption, screen lock, and MDM coverage matter more for London-based Partners than for Partners who meet clients exclusively in their own office.

The Mayfair small-practice IT pattern. Many small Mayfair and West End Partner Practices run on a single practice-manager-with-an-IT-background model, or outsource IT to a boutique London-focused MSP. The remediation pattern for CE Plus is similar either way: an Intune or Jamf deployment covering every in-scope device, MFA on every Microsoft 365 or Google Workspace user, and a documented baseline.

The SJP Partner Practice technology stack

Most SJP Partner Practices run some combination of:

• Microsoft 365 or Google Workspace for email and documents
• The SJP central systems (accessed via SJP’s identity federation)
• A financial planning or back-office platform (Intelliflo, FE fundinfo, Voyant, CashCalc, Dynamic Planner, Prestwood, DISCUS)
• A CRM (many SJP Partners use Intelliflo Office, Xplan, or bespoke tools)
• Portfolio review and illustration tools
• A document signing tool (DocuSign, Adobe Sign)
• A secure client portal for document sharing
• Laptops for Partners and support staff
• Phones, often a mix of company-issued and BYOD

Each of the above that holds or processes client data is in scope for CE Plus. The single biggest operational gap in SJP Partner Practices I see: the cloud platforms other than the main email tenant often do not have MFA enforced, because they were set up before MFA was a universal expectation and have not been revisited.

The three London Partner Practice remediation patterns

From working with London-based Partner Practices on CE Plus readiness, three patterns cover most of what needs doing:

Pattern 1: MFA sweep across the secondary platforms. The Partner Practice has MFA on Microsoft 365 but not on Intelliflo, the client portal, the document signing tool, or the portfolio review platform. Going through each non-SSO-integrated service and enforcing MFA on every user account is typically two to four hours of work and closes the single biggest v3.3 compliance gap.

Pattern 2: Formalise the device estate. The Practice has laptops that were purchased and set up individually, never enrolled in any management tool. Getting Intune configured with a security baseline (for M365-based practices) or Jamf (for Mac-heavy practices) closes patching, firewall, and malware protection requirements in one step.

Pattern 3: Address the BYOD question explicitly. Partners check SJP email on personal iPhones. Personal iPhones are in CE Plus scope. Either enrol them in MDM with compliance policies, or restrict SJP email access to managed devices only via conditional access policies. Most London Partners choose the second route because the first is friction-heavy for personal-device users.

The renewal cadence

SJP expects continuous certification. A London Partner Practice should begin the renewal process at least four weeks before the existing certificate’s expiry date. Mark a standing calendar reminder in the practice calendar; the renewal is not complicated but missing it is a breach of the mandate.

Because v3.3 became effective on 28 April 2026, every Partner Practice renewing after that date is assessed against v3.3 — including the expanded mandatory MFA requirements. Any Partner Practice that has not already done the MFA sweep across every in-scope cloud service should do it before their next renewal, not during it.

Typical cost and timeline for a London Partner Practice

For a 1-9 person Partner Practice in London, the CE Plus certification typically costs between £1,499 and £1,999 + VAT depending on certification body and organisation size. The remediation work (MFA enforcement, device enrolment, any laptop replacements for unsupported OS versions) varies but for a reasonably well-run small practice it is typically one to three days of focused work plus any required software licensing.

Fig Group’s CE Micro (1-9 employees) starts at £299.99 + VAT, with CE Plus Micro at £1,499 + VAT. For Partner Practices in the 10-49 range, CE Small is £399.99 + VAT and CE Plus Small is £1,999 + VAT. Both levels include the underlying Cyber Essentials certification.

If you are an SJP Partner Practice in London and have not yet certified

Most Partner Practices that have not yet certified are either newer Practices or Practices that missed the initial rollout. If that is you, the path is straightforward:

1. Run the free readiness checker to identify gaps

2. Close the MFA and device-management gaps you find

3. Purchase Cyber Essentials (self-assessed) and pass that first

4. Book the Plus audit once CE is confirmed (1-3 working days)

5. Submit the Plus certificate to SJP via their compliance portal

The full sequence, if the remediation gaps are small, can complete in a week. If there are significant gaps (unmanaged device estate, no MFA on secondary platforms, shared accounts in the CRM), allow two to three weeks.

Bottom line

The SJP Cyber Essentials Plus mandate is a mature, well-established programme. For London-based Partner Practices, the controls it requires map cleanly onto the way modern UK wealth management operates — MFA, managed devices, documented leaver processes, restricted sharing. The distinct London operational questions (serviced offices, client meetings outside the office, BYOD for mobile Partners) are addressable through the same set of controls, applied to the device estate rather than the office network.

For Partner Practices that have not yet certified, delay is not strategic. SJP’s compliance position is clear, and the operational posture CE Plus asks for is a reasonable baseline for any firm handling HNWI financial data in 2026.

Check your readiness | View pricing | Talk to an assessor