Information security management remains a serious issue for the legal sector, with law firms reporting an increase in targeted attacks in 2018. Large volumes of client funds and confidential information are irresistible to cyber criminals, so it is unsurprising that 60% of law firms reported that they had suffered a security incident during the year (PwC Law Firms’ Survey 2018).
Leading law firms are tackling cyber threats head-on with ISO 27001, the international standard for information security. By implementing a best-practice ISMS (information security management system) and certifying to ISO 27001, management teams can safeguard their firm. With cyber attacks on the rise, data protection should be a high priority for all law firms.
ISO 27001 certification is increasingly demanded of law firms when tendering for major projects. Achieving accredited certification to ISO 27001 will put your firm in the running for these tenders and demonstrates that you are committed to protecting your clients’ confidential data.
What is ISO 27001?
ISO 27001 is one of the most popular information security standards in the world, with certifications growing by more than 450% in the past ten years. It sets out the requirements for an ISMS, which is a systematic approach to information security focusing on people, processes and technology that helps you protect and manage all your organisation’s information through effective risk management.
Be proactive with your firm’s information security
PwC’s 2018 survey found that 46% of law firms had a security incident related to their own staff where the firm had suffered a loss or leak of confidential information. When asked about IT disaster recovery, only 27% of respondents were very confident that their testing had completely demonstrated that their firm’s end-to-end operable services could be recovered in accordance with business recovery requirements. The survey results indicated that, in the event of a serious incident, some law firms might not be prepared to respond appropriately.
Since the GDPR (General Data Protection Regulation) came into force in May 2018, all organisations are legally required to report certain types of personal data breach to the ICO (Information Commissioner’s Office) within 72 hours of becoming aware of the breach. This makes it essential for law firms to ensure that they can promptly identify and understand the nature and scale of any breaches.
Since employees can jeopardise your firm’s security with a single moment of carelessness, it is clear that addressing information security risks is about far more than simply implementing processes and installing anti-malware and antivirus software. A more proactive approach to information security is needed, and this should include ensuring that all members of the firm are adequately trained.
How will my firm benefit from ISO 27001?
- ISO 27001 can help your firm protect the confidentiality, integrity and availability of your firm’s information assets, as well as those of your clients.
- It helps you meet your legal and regulatory data protection obligations while improving your firm’s cyber security posture and productivity.
- Your firm can achieve independently audited certification to the Standard when you implement an ISO 27001-compliant ISMS, demonstrating your firm’s information security credentials to clients, stakeholders and regulators.
- Following certification to the Standard, you can specify that your key suppliers also achieve certification, ensuring that these third parties also maintain suitable levels of security. This supports GDPR compliance.
- Your firm will be in good company: approximately 40,000 organisations around the world – including numerous law firms – are already certified to ISO 27001.
Get your firm on track with ISO 27001
We are pleased to have worked with many law firms to implement ISO 27001, ranging from the Magic Circle to medium-sized and smaller firms, so we are well-placed to assist you.
Fast-track your ISO 27001 project, cut your costs and save time with our implementation bundles, designed to suit firms of any size.
To find out more about our ISO 27001 services for the legal sector, simply complete an enquiry form to contact our experts or call our team on +44 (0)333 800 7000 to discuss your firm’s requirements.
I accept that ISO 27k is a positive step in the right direction. I am however not convinced that it provides the assurance that a user entity must seek from an outsourced entity. That is, the outsourced organisation defines the context of risk within ISO27K.
My thought is that ASAE 3000 or ASAE 3402 are essential for the user entity to define the risk appetite on which to assess the outsourced entity.