Phone Icon 0333 323 3981

Contact us

Lexcel Compliance

Secure, Comply, Certify is our unique three-step approach to achieving certification to Lexcel. Whilst many consultants will help you to implement the standard, ours go one step further by working with you to implement cyber security first, which strengthens your compliance to Lexcel. 

As a large part of Lexcel is centred around data protection and client confidentiality your framework should include cyber security measures to assess the external threats which could compromise the security of your information. We have established relationships with consultants and certification bodies to implement Secure, Comply, Certify - a 360 degree approach to information security.

About Lexcel

Throughout the Lexcel practice management standard there are references to security of systems and confidentiality of client data. In order to successfully achieve this certification,  legal firms are required to demonstrate that their assets are secure from external threats by undertaking regular penetration testing.

Our Lexcel consultants can help you to identify the physical risks to your assets from a potential cyber threat whilst advising you on the relevant sections of the Lexcel standard. Using the results from a penetration test, we can strengthen your information security policies and procedures, and provide a full assessment of the external environment.

Below are the specific points from the Lexcel standard which have an influence on cyber security policy:

Lexcel Standard:

Strategic Plans

  • 2.4 – Practices will have a business continuity plan, which must include:
    • An evaluation of potential risks and the likelihood of their impact.
    • Ways to reduce, avoid and transfer the risks.
    • A procedure to test the plan annually in order to verify that it would be effective in the event of a business interruption.

Information Management

  • 4.1 – Practices will have an information management policy which must include:
    • The identification of relevant information assets of both the practice and clients.
    • The risk to these assets, their likelihood and the impact.
    • Procedures for the protection and security of the information assets.
    • A procedure for training personnel.
  • 4.2 – Practices will have an email policy, which must include:
    • Procedures for the management and security of emails.
  • 4.3 – If the practice has a website, the practice must have a website management policy which must include:
    • Procedures for the management of its security.
  • 4.5 – Practices will have a social media policy, which must include:
    • The scope of permitted and prohibited content.

Risk Management

  • 6.1 – Practices must designate one overall risk manager to be able to identify and deal with all risk issues.

Client Care

  • 7.1 – Practices will have a policy for client care, including:
    • Protecting client confidentiality.

File and Case Management

  • 8.5 - Practices will have a procedure to:
    • Safeguard the confidentiality of matter files and all other client information.

In order to address each of the above points, our certified consultants take you through a straightforward three-step framework which focuses firmly on security, compliance and certification.


By guiding you through this framework, we can ensure that you not only have the technology foundation in place to meet with the requirements for Lexcel, but also that information security within your practice extends beyond technology to encompass your people, culture, processes and physical environment so as to keep it resilient –even in the event of a breach.


Contact us today to discuss your Lexcel related requirements.

Penetration Testing

Penetration testing is simulating an attack in the same way a hacker would. It is the only way to detect your vulnerabilities, allowing you to take precautions to make your IT impenetrable and demonstrating sec...

More info


We are able to offer independent cyber security consultancy, advice and coaching to help you identify the cyber security needs of your business and where we can recommend solutions, services and training to mitigate the cyber risk.

More info

Cyber Security Training

Cyber security training can help your staff to proactively reduce the risk of a cyber attack to your business. We offer training to your management, employees and mobile workers to raise awareness and protect your assets.    

More info

PCI DSS Compliance

If a business is set up to take credit cards by any mechanism - then it needs to be compliant. It is a common misunderstanding that small concerns handling only one or a few credit cards a year are exempt from these standards.

More info

ISO 27001 Compliance

By achieving the ISO27001 certification, you can demonstrate that you are operating at a best-in-class standard for your Information Security Management System (ISMS) for both paper and electronically based assets.

More info

Cyber Essentials Certification Body

Xyone Cyber Security are a qualified Certification Body, offering technical services, consultancy and support to help your business to implement Cyber Essentials and Cyber Essentials Plus.

More info