--- name: sra-it-assessment-helper description: Draft the IT and information-security section of an SRA client-file / practice-assurance review for a London law firm — covering technology controls, confidentiality of client information, remote-working, cyber-incident response, and supervision of IT arrangements. version: 1.0.0 author: VantagePoint Networks author_url: https://www.vpnetworks.co.uk audience: COLPs, COFAs, IT Managers and Managing Partners at SRA-regulated firms; MSPs supporting UK law firms output_format: Formatted Markdown self-assessment covering SRA Standards and Regulations alignment, with control-by-control evidence, gap register, and remediation priorities. license: MIT last-reviewed: 2026-04 --- # SRA IT Assessment Helper A Claude Code skill for the COLP or managing partner preparing for an SRA review — producing the IT and information-security self-assessment in the language the SRA expects, without guessing what "appropriate controls" means in practice. ## How to use this skill 1. Download this `SKILL.md` file. 2. Place it in `~/.claude/commands/` (macOS/Linux) or `%USERPROFILE%\.claude\commands\` (Windows). 3. In Claude Code, run `/sra-it-assessment-helper`. Describe the firm. Answer the clarifying questions. Receive the self-assessment. ## When to use this - An SRA review / inspection has been scheduled. - You're renewing PII cover and the insurer wants an IT risk statement aligned to SRA expectations. - A client has asked how the firm protects their confidentiality as part of a due-diligence questionnaire. - A material incident occurred and you need to document the firm's IT posture post-incident. - You want a reviewable baseline that the COLP can use at the annual compliance review. ## What you'll get A single Markdown document containing: - **Scope & firm overview** (legal entity, authorisations, locations, staff) - **Mapping to SRA Standards and Regulations** — specifically Rules on confidentiality, supervision, and competence, as they apply to technology - **Technology control statements** (authentication, access, encryption, mobile, cloud, AI) - **Client confidentiality & file protection** (including privileged material) - **Remote-working controls** - **Cyber-incident response** (with SRA-reporting considerations) - **Supervision of IT arrangements** (outsourced or in-house) - **Staff training and acknowledgement** - **Gap register** with remediation priorities - **COLP sign-off** page ## Clarifying questions I will ask you 1. **Firm size (fee earners, support staff, offices)?** 2. **Practice areas?** (affects sensitivity — family, children, criminal, high-net-worth, commercial) 3. **IT delivery model?** (fully in-house / MSP-supported / MSP-managed / mix) 4. **Case / matter management system?** 5. **Where are client files stored?** (on-prem, cloud, hybrid) 6. **Remote working posture?** (hybrid, office-first, fully remote) 7. **AI tools in use?** (Copilot, ChatGPT Enterprise, private AI, none) 8. **Cyber insurance in place?** (and limit) 9. **Last PII renewal date?** 10. **Any recent incidents to disclose?** (data breaches, near-misses, phishing-induced) 11. **Cyber Essentials / Plus status?** 12. **Has the firm had an SRA intervention or concern raised before?** ## Output template ```markdown # SRA IT & Information Security Self-Assessment — **Firm:** · **SRA ID:** · **Date:** **COLP:** · **COFA:** · **Prepared by:** **Review period:** to ## 1. Firm Overview - **Legal entity:** - **Authorisations:** - **Offices:** - **Staff:** fee earners, support - **Practice areas:** - **IT delivery model:** ## 2. Alignment to the SRA Standards and Regulations The following rules have a direct technology dimension: ### Principles - **Principle 5** (maintain public trust and confidence): confidentiality of client information - **Principle 7** (best interests of each client): protection of client data from loss / compromise ### Code of Conduct (Individuals) - **6.3** — keep client information confidential - **6.4** — duty to disclose material information (affected by breaches) - **2.7** — ability to justify decisions (evidence) ### Code of Conduct (Firms) - **2** — compliance systems, policies, and practices - **4** — client information, confidentiality, and data protection - **5** — business systems and controls (including IT) Each control statement below references the applicable rule(s). ## 3. Technology Control Statements ### 3.1 Authentication & Access (Code of Conduct for Firms §5; Principle 5) - Multi-factor authentication is enforced for all staff and partners on all cloud services (M365, matter-management, document management, remote-access). Evidence: Conditional Access policy export, audit log. - Privileged accounts are separated from daily-use accounts; named "-admin" accounts only. - Joiner / leaver process documented; leaver access revoked within hours. - Periodic access review: . - Break-glass accounts exist, documented, tested . ### 3.2 Encryption (Principle 7; Code §4) - Device encryption (BitLocker / FileVault) enforced on all firm-issued and BYOD devices. - Data in transit: TLS 1.2+ only; legacy disabled. - Cloud services: M365 default encryption, with . - Email encryption available for sensitive material (S/MIME / M365 Message Encryption). ### 3.3 Client File Protection (Code §4) - Matter files stored in with access controlled by matter teams. - Least-privilege model: no blanket "everyone except external" sharing; flagged during site audit in . - Legally privileged material handled per firm policy . - DLP policies alert on potential external leakage of matter-identifying material. - Backup and retention per retention schedule ; tested . ### 3.4 Mobile & Remote Working - BYOD permitted with MDM enrolment (see BYOD Policy ). Selective-wipe supported. - Company devices: MDM-enrolled; full-disk encrypted; lock-screen enforced. - Remote access: via ; split-tunnel posture documented; Conditional Access requires compliant device. - Home-working: staff sign remote-working declaration (clean desk, confidential calls, router security). ### 3.5 Cloud Services & Third-Party Suppliers - Cloud vendor register maintained in . - Each vendor with personal / client data has a current DPA. - Sub-processor changes monitored; material changes trigger DPIA re-review. - SRA's position on cloud outsourcing met: firm retains oversight and control; exit plan documented for each critical vendor. ### 3.6 Artificial Intelligence - AI Use Policy in place . Scope: which tools, which data classes permitted, prohibited uses. - Copilot for M365 (if licensed): EU Data Boundary enabled; SharePoint hygiene completed pre-rollout; sensitivity labels applied. - Prohibited: pasting privileged or identifiable client material into non-approved AI tools. - DPIA completed for material AI processing . - Staff training on AI use includes professional conduct: AI drafts, humans decide. ### 3.7 Network Security - Boundary firewall(s): ; deny-all default; rules reviewed . - Endpoint protection: ; real-time + web protection enabled via MDM / GPO. - Patch management: high-risk within 7 days; critical within 14 days; coverage report available. - Vulnerability scanning: ; remediation tracked. ### 3.8 Business Continuity & DR - BCP covers loss of office, loss of key systems, loss of key people. - DR tested ; last test: ; outcome summary: <>. - RTO hours / RPO hours for client-matter systems. - Offsite / cloud backup verified recoverable. ## 4. Cyber Incident Response (Code §5; Principle 7) - Incident response playbook ; tested . - Named incident commander: . Out-of-hours escalation: <>. - Reporting obligations understood: - **ICO (UK GDPR Art. 33):** personal-data breach notifications within 72 hours where criteria met - **SRA:** prompt notification of any material incident affecting client files / privilege / ability to practise - **Cyber insurer:** per policy - **Clients:** per contract and per DPA - Recent incidents / near-misses in period: — summary log retained. ## 5. Supervision of IT Arrangements Whether in-house or outsourced, the firm maintains effective oversight. - **In-house:** IT team reports to . Regular IT governance meeting at . - **Outsourced / MSP:** supplier reviewed ; contract includes audit rights; receives regular service reporting; SRA-awareness of the supplier confirmed. - **Exit plan** for MSP / critical cloud vendor documented and tested in principle. ## 6. Staff Training & Competence - Induction includes: information security, client confidentiality, AI use policy, incident reporting. - Annual refresher mandatory; attendance tracked. - Phishing simulation programme in place ; click rate trending to %. - Competence for technology in scope: senior IT role , , external supervision via . ## 7. Gap Register & Remediation Priorities | Gap | SRA rule / Principle | Severity | Remediation | Owner | Target | |---|---|---|---|---|---| | E.g. No documented MSP exit plan | Code §5 supervision | High | Draft exit plan, review with MSP, test tabletop | COLP | Q | | E.g. Matter-file sharing not audited in 24 months | Principle 5, Code §4 | High | SharePoint hygiene sweep; label rollout | IT Manager | Q | | | | | | | | ## 8. Conclusion & Sign-off **Overall posture:** , with a plan to reach by . **Approved by COLP:** _________________________________ Date: __________ **Approved by Managing Partner:** _________________________________ Date: __________ ## 9. Appendices - Incident log (last 12 months) - Vendor / DPA register - Policy index (IS, AI Use, BYOD, Remote Working, Data Retention, Incident Response) - Evidence pack references (Conditional Access export, compliance report, test results) ``` ## Example invocation **User:** "30-fee-earner London law firm, family + private-client focus. In-house IT. M365, NetDocuments, SmartVault. No Cyber Essentials yet. Annual SRA compliance review coming. We've had one minor incident — phishing click, no data loss." **What the skill will do:** 1. Ask 12 questions, emphasising: family / private-client sensitivity (vulnerable clients, privileged material), whether the phishing click resulted in any credential re-use requiring rotation, whether matter-file oversharing has been assessed. 2. Produce the assessment with particular attention to: - Principle 5 confidentiality framing for matter access - AI section noting no current tools but policy ready before adoption - The phishing incident logged with remediation (training refresh + targeted next simulation) - Gap register highlighting Cyber Essentials certification as high-priority remediation within 6 months 3. Produce a COLP-ready document that the partner can sign and present at the SRA review. ## Notes for the requester - **SRA doesn't prescribe specific tech.** It requires "appropriate" controls. This document shows what appropriate looks like for a firm of your size and risk profile. - **Material incidents are SRA-reportable.** "Material" is not defined tightly — when in doubt, notify and document the decision. The COLP decides. - **The ICO and SRA obligations run in parallel, not in sequence.** A personal-data breach affecting client matter files may trigger both. - **Outsourced IT doesn't remove the firm's obligations.** Supervision is on the firm, not the MSP. - **Cyber Essentials Plus is increasingly expected** by clients, insurers, and procurement frameworks. If you haven't got it, flag as a near-term gap. - **Good looks like:** the COLP can answer SRA IT questions with confidence, the self-assessment is current within 6 months, gaps are tracked to closure, and clients' due-diligence questionnaires can be answered from this document + the RoPA + one privacy notice. --- *VantagePoint Networks · · Authored by Hak · Free under the MIT licence*