Kyanite Blue
Tools & Calculators

SRA Cybersecurity Compliance Checklist for UK Law Firms

The SRA does not publish a definitive cybersecurity checklist — but its Thematic Reviews, enforcement decisions, and the 2023 warning notice on cyber risks make clear what it expects to see. This checklist consolidates those expectations into a practical tool that UK law firms can use to assess their current compliance position, identify gaps, and prioritise remediation.

The SRA 2023 warning notice explicitly lists the controls firms are expected to have — this checklist converts those expectations into an auditable action list.

Documentation Checklist

The following documents should exist, be current, and be producible on request:

  • Information Security Policy — dated within the last 12 months, approved by senior management or managing partner
  • Cyber Incident Response Plan — tested or reviewed within the last 12 months, with named responsible individuals
  • Data Breach Notification Procedure — specifying who decides whether to notify ICO/SRA, and the 72-hour notification process
  • Acceptable Use Policy — covering use of firm devices, personal devices, cloud storage, and social media
  • Supplier/Third Party Due Diligence Record — documenting security assessments of all third parties with access to client data
  • Staff Training Record — showing who received security awareness training, when, and what was covered
  • Incident Register — a log of all security incidents in the past two years, regardless of outcome
  • Access Review Record — showing periodic reviews of user access rights

Technical Controls Checklist

For each item, be able to demonstrate implementation with evidence:

  • MFA deployed on all email accounts — including partner accounts, not just staff
  • MFA deployed on all remote access (VPN, Remote Desktop, case management portals)
  • Endpoint protection (EDR/anti-malware) on all devices accessing client data, including remote worker machines
  • Email security gateway with phishing and malware filtering
  • DMARC, DKIM, and SPF records configured and enforced on firm email domain
  • Software patching programme — all systems updated within 14 days of patch release
  • Backups: offline or immutable, tested for restoration within the last six months
  • Encrypted storage for portable devices and removable media

Process Controls Checklist

Process controls that prevent the most common attack types:

  • Verified callback procedure for all bank detail changes — documented and applied without exception
  • Four-eyes authorisation on all payments above a defined threshold
  • Joiners, movers, leavers process — access provisioned on day one, modified on role change, revoked within 24 hours of departure
  • Annual phishing simulation exercise with results recorded
  • Client onboarding communication about bank account fraud risks
  • Security briefing for all new starters within first week

Frequently Asked Questions

Is this checklist sufficient to demonstrate SRA compliance?

This checklist covers the controls and documentation the SRA has identified as expected in its thematic reviews and enforcement decisions. It is not an official SRA document. Completing the checklist provides a strong foundation for demonstrating compliance but does not guarantee regulatory approval. Consider combining it with Cyber Essentials certification for a formally verified baseline.

How often should we work through this checklist?

Review the documentation section annually and after any significant incident or changes to the firm's systems. Review the technical and process controls sections quarterly — or after any personnel changes, system changes, or security incidents.

Who should own this checklist in our firm?

The COLP (Compliance Officer for Legal Practice) is responsible for the firm's systems and controls under SRA requirements and is the natural owner. In practice, day-to-day management may be delegated to an Office Manager, Practice Manager, or IT Manager — but the COLP should review and sign off at least annually.

Get expert help working through this checklist — speak to our legal sector team

Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.

Get in touch

Ready to secure your iGaming operation?

MGA-licensed operators across Malta trust Kyanite Blue.

Book a call Browse all guides