/ Published in Information Security

ISO 27001 Meeting the needs of the Legal Profession

Many law firms are already registered to ISO 9001 for their Quality Management Systems and seeing the benefits of a solid, process-based system across their business. Increasingly as firms handle sensitive data on behalf of clients many legal practices are seriously considering a framework to control their risk, compliance and governance in relation to Information Security.

ISO 27001 is the International Standard for Information Security and after several high-profile data breaches coming from blue chip organisations, social media outlets and the legal profession, it may be that the time is right for you to investigate the benefits of an International standard to manage the risks to the data you hold.

Law firms actively manage and comply with Data Protection and GDPR and often defend those organisations found to be in breach of the regulations and legislation. To identify, consolidate and manage risks associated with Information Security within their own practices would certainly demonstrate commitment to client’s data confidentiality. Achieving Certification to ISO 27001 would demonstrate such a commitment.

What are the benefits for your law firm?

  • A management system to ensure management of Information Security risks,
  • Compliance with legislation including GDPR,
  • Internationally recognised certification,
  • Marketing benefits through the provision of assurance to your clients.

Within a law firm the most valuable asset is information: how you store it, use it, retain it, share it and archive it ALL within a secure system. Using a systematic and process-led approach allows you to protect information from risks and threats – this can only be done by firstly identifying ALL risks and threats to your clients and your business and then applying suitable controls. ISO 27001 provides the framework in which this can be achieved.

Fraud, cyber-attacks, data leaks and information access are big business for fraudsters and you only need to read the daily newspapers to see how this is affecting banks, insurance providers, social media, legal profession and many ordinary citizens. Certification helps firms demonstrate to their clients how their firm:

  • Protects their clients and reputation
  • Ensures secure exchanges of information
  • Avoids financial penalties
  • Meets the needs of partners and stakeholders
  • Achieves international regulatory compliance

A vast number of organisations in the UK already have robust Information Security systems and many are already certified to ISO 27001. It is now unsurprising, therefore, that they would expect their lawyers and counsel to demonstrate the same standards in securing data they have already in place.

Many calls to QCS have the following questions on information and date security.

  • How do we prove to our clients that their data is secure?
  • What does secure data mean for us?
  • How do we prove we are compliant?
  • How do we identify what are risks are?
  • How do we manage these risks?
  • What do we do next?

An example of risk that we all now know about
The Panama Papers are 11.5 million leaked documents that detail financial and attorney–client information for more than 214,488 offshore entities.

The leaked documents were created by Panamanian law firm and corporate service provider Mossack Fonseca; some date back to the 1970s.
The company informed clients on 3 April 2016, that files had been obtained through a hack of the company’s email server. Forbes has suggested that the firm’s information security was poor, running old versions of key tools, and other vulnerabilities.

At QCS, we are often asked, where do we begin?

Step 1 – By conducting a gap analysis an organisation can establish what is already in place and then include it in the system, or adjust it where necessary to show conformance with ISO 27001. This is usually easier than trying to do everything from scratch.

We find in our work that many organisations are already meeting many of the requirements within their own procedures and arrangements. A gap analysis measures these against the standard and makes recommendations on what must happen if certification is to be achieved. The output of such analysis tends to be an action list.

The gap analysis shall suggest what procedures need to be changed/introduced, what controls are necessary for ISO 27001 certification, training needs for staff and the development of a system to review and check the effectiveness of controls introduced.

The kinds of documentation and action required to lead you to conformance with the standard include:

  • Issuing and adoption of Information Security Policy
  • Establishment of key information security objectives and measures – to demonstrate improvement and to drive change
  • Review and adoption of effective procedures for HR, IT systems, Admin, Finance and Software
  • Understanding your assets, and how these are to be managed
  • Adoption of applicable controls as described within ISO 27001
  • Risk Assessment procedures
  • Audits, inspections and reviews on the effectiveness of arrangements
  • Management Reviews – making decisions on changes and improvements

It can be daunting to start the process, however, the cost of ignoring the risks to your information security systems, no matter how small, can be considerable. QCS International can help you to understand the process and ensure you have the necessary skills to manage the system yourselves.

Find out more by attending one of our ISO 27001 courses or giving us a call to see how we might be able to assist.

Share
Share

What you can read next

Information Security: ‘Zero Breaches’ through ISO 27001
The Steps to ISO 27001 Compliance in Contact Centres
How Safe is your Company from Cyber-Attacks?