Compliance · Cybersecurity
If you run a London law firm or a regulated financial services SMB, you've probably been asked about Cyber Essentials on a client due-diligence form, a panel application, or an insurance renewal. You may also have had a conversation with someone senior that went: "we should probably have that, shouldn't we?" — and then it went nowhere for eighteen months.
This is the article that gets it off your backlog. It covers what the scheme actually is, how Essentials differs from Essentials Plus, how much it costs, how long it takes, where firms most commonly fail, and — crucially — how it aligns with what the SRA and FCA expect from you in 2026.
Cyber Essentials is a UK government-backed certification run by IASME (the NCSC's delivery partner). It covers five technical controls that, correctly implemented, block the vast majority of commodity cyber attacks:
It is not a substitute for ISO 27001, SOC 2, or a full information security management system. It's a floor, not a ceiling. The point is that the floor is surprisingly high, and most of the breaches that cripple SMBs — Business Email Compromise, ransomware via unpatched endpoints, admin-account takeover — would have been prevented by passing it.
Cyber Essentials (no "Plus") is a self-assessment. You answer a questionnaire, attest to your controls, pay the fee, and receive the certification. There's no technical verification — it's trust-based.
Cyber Essentials Plus is the same five controls, but with independent technical verification. An IASME-approved assessor runs vulnerability scans against a sample of your devices, checks your email and web-filtering behaviour, and validates your patching and MFA in practice, not on paper.
Which one do your clients and regulators accept?
If you're a law firm under 50 fee earners or a small finance advisory firm, start with Essentials (self-assessed) to force the remediation work, then book Plus within 6 months once you've actually closed the gaps. For anyone over 50 people, or anyone handling panel work, go straight to Plus — the extra cost is modest relative to the trust it buys.
The SRA doesn't issue a shopping list. Instead, the Standards and Regulations, the Code of Conduct for Firms, and the Transparency Rules require firms to protect client money and client information, maintain competence, and report serious breaches. See the SRA's own risk guidance on cybersecurity.
Cyber Essentials Plus gives you a clean answer to four of the most common SRA-review questions:
The FCA's SYSC rules, Operational Resilience regime, and Consumer Duty all put cybersecurity squarely in the "we expect you to be doing this" category — but without prescribing a specific certification. For SMB firms (MiFID investment managers, IFAs, consumer credit, payment institutions, crypto registrations), Plus is the most cost-effective way to produce an evidence trail that survives a supervisory visit.
Two specific scenarios where Plus pays for itself immediately:
Budget for three buckets:
A 25-person London law or finance firm should expect a total first-year cost of £4,000–£8,000. Renewal in year two is roughly half that — most of the remediation is a one-off.
Any device running an OS past its vendor-supported end-of-life date is an automatic fail. In 2026, that's still Windows 10 on a surprising number of director laptops. Plus will catch it. Handle this first.
Plus requires MFA on all cloud services used for business — not just M365. If your staff use a practice management system, a matter management portal, or an accounts package without MFA, you'll fail. The fix is usually a tenant-level conditional-access policy plus SSO for the stragglers.
Global admins who also receive client email are a top-three finding. Separate accounts for day-to-day work and admin tasks — non-negotiable.
Critical and high-severity patches must land within 14 days of release. If your MSP's patch cadence is "monthly", you will fail. Move to weekly, with exception handling for critical zero-days.
Personal phones and laptops accessing email or documents must be in scope — Plus doesn't let you exclude them unless you've blocked the access path entirely. Intune app protection policies or equivalent MDM is the sensible answer.
Put Cyber Essentials Plus renewal in the diary before your next professional indemnity renewal, client due-diligence round, or FCA/SRA review cycle. Having the certificate in hand is worth several weeks of negotiation.
Firms that skip the gap analysis and jump straight to the audit usually fail the first pass and spend twice the money. Don't skip.
IASME body fees alone are £500–£4,000 depending on size. Total first-time cost including remediation and consultant support is typically £4,000–£8,000 for a 25-person firm.
No universal mandate. But increasingly required by clients, panels, insurers, and government-adjacent work. The SRA expects proportionate cybersecurity; Plus is one of the cleanest evidence pieces.
Typically 6–12 weeks end-to-end for a 10–100-person firm — two weeks scoping, four to six weeks remediation, two to four weeks assessor engagement.
Often yes — they answer different questions. ISO 27001 is a management-system certification; Plus is technical-controls certification. Panel and insurer forms frequently ask for Plus specifically.
Yes — "whole organisation" or a defined sub-scope (a specific office, a specific product line) are both allowed. Scope must be clearly defined and logically separable. Most firms go whole-organisation; it's simpler to explain to clients.
Free 20-minute strategy call. I'll tell you the realistic timeline, the realistic cost, and whether you need Plus or can start with Essentials.
Free 20-min Strategy Call