Kyanite Blue
Tools & Calculators

Cyber Essentials Readiness Checker for Law Firms: Are You Ready to Certify?

Cyber Essentials certification requires evidence of five specific technical controls. Many law firms attempt the self-assessment questionnaire without understanding which of these controls they have gaps in — and fail, wasting the certification fee. This readiness checker walks you through each control area, helping you identify what you have, what you are missing, and what you need to do before applying for certification.

Approximately one in three organisations that attempt Cyber Essentials self-assessment fail on the first attempt — most failures are in MFA, patch management, or access control.

Control 1: Firewalls — Are You Ready?

Cyber Essentials requires boundary firewalls protecting internet-facing systems and personal firewalls on all user devices. Questions to assess your readiness:

  • Do you have a firewall between your internal network and the internet?
  • Is the firewall configured to deny all inbound connections by default and only permit those you have explicitly authorised?
  • Are all user devices (laptops, desktops, remote worker machines) running a software firewall?
  • Are default administrator credentials changed on all firewalls?
  • Is firewall configuration documented and reviewed at least annually?

Control 2: Secure Configuration — Are You Ready?

Cyber Essentials requires that all systems are securely configured — unused services disabled, default passwords changed, unnecessary software removed. Key readiness questions:

  • Are default usernames and passwords changed on all devices and applications?
  • Are unused or unnecessary user accounts, services, and software removed or disabled?
  • Are all devices configured with auto-lock after a period of inactivity?
  • Is software not available from official app stores/vendor websites blocked or restricted on managed devices?

Control 3: Access Control — Are You Ready?

Cyber Essentials requires user accounts with minimum necessary access and MFA for all administrative accounts (and, from January 2025, for all user accounts accessing cloud services):

  • Do all user accounts have only the access they need for their role?
  • Is MFA enforced for all accounts accessing cloud services (Microsoft 365, Google Workspace, practice management portals)?
  • Are administrative accounts separate from standard user accounts?
  • Is there a documented process to remove or modify access when staff leave or change roles?
  • Are default and shared accounts disabled or removed?

Control 4: Malware Protection — Are You Ready?

Cyber Essentials requires anti-malware protection on all in-scope devices:

  • Is anti-malware software installed on all user devices, including remote worker machines?
  • Is the anti-malware software kept up to date automatically?
  • If you use application whitelisting rather than traditional anti-malware, is it properly configured to block execution of unapproved applications?

Control 5: Patch Management — Are You Ready?

Cyber Essentials requires that software is patched and up to date within 14 days of patches being released:

  • Do all operating systems on in-scope devices receive automatic updates?
  • Is all software (browsers, Office, case management applications, plugins) updated within 14 days of updates being released?
  • Is unsupported software (software that no longer receives security updates) removed or isolated from the network?
  • Do you have a documented patching process with records showing when patches were applied?

Frequently Asked Questions

What happens if we fail the Cyber Essentials assessment?

If your self-assessment is rejected by the certifying body, you will typically receive feedback identifying which control areas need remediation. You can resubmit after addressing the gaps. The certification fee is usually not refunded for a failed first attempt, which is why completing a readiness check before applying is time and money well spent.

Does Cyber Essentials cover our cloud services?

Cyber Essentials applies to all devices and services within your scope — which includes cloud services used by your staff. From January 2025, the scheme requires MFA on all cloud services where accounts can access organisational data. This means Microsoft 365, case management portals, and other cloud-based tools are all in scope and must meet the control requirements.

Should we go for Cyber Essentials or Cyber Essentials Plus?

Standard Cyber Essentials (self-assessment) is sufficient for most law firms and satisfies SRA and typical insurer requirements. Cyber Essentials Plus (with technical verification) provides stronger assurance and is preferred by government clients and some larger commercial clients. If you have specific client or tender requirements demanding CE+, pursue that; otherwise standard CE is the most cost-effective starting point.

Get help achieving Cyber Essentials certification — speak to our team

Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.

Get in touch

Ready to secure your iGaming operation?

MGA-licensed operators across Malta trust Kyanite Blue.

Book a call Browse all guides