ISO 27001 for Law Firms

Meet client information security audit demands with the international information security standard, ISO 27001

Having worked with a number of high-profile, specialist and niche law firms throughout the country, we know that many practices are subject to regular information security audits requested by their clients. These can be laborious and time-consuming – as well as disruptive – to carry out.

Certification to ISO 27001, the international information security standard, eliminates the need to repeatedly undergo detailed information security audits because the certification body has already done the audit. ISO 27001 is recognised worldwide as the international information security standard, and certification greatly reduces the burden of regular audits.

Comply with the GDPR

As of May 2018, all organisations that hold information on EU data subjects will be required to comply with the EU General Data Protection Regulation (GDPR). Failure to comply can result in tough penalties, and breached organisations can expect fines of up to 4% of annual global revenue or €20 million – whichever is greater.

Until now, law firms that have suffered data breaches have largely managed to keep out of the media spotlight – with the notable exception of the Panamanian firm Mossack Fonseca – but this will soon change. When the GDPR comes into force in May 2018, law firms will have to disclose breaches that compromise the rights of data subjects. Having information security controls already in place, such as those recommended in ISO/IEC 27001:2013, will strengthen your cyber security stance, and will significantly reduce the likelihood and impact of suffering a breach.

Stringent information security is important in the legal sector

Cyber crime presents a significant risk to clients and their assets, including information and money, which not only leads to a negative impact on the structural or financial stability of a law firm, but can severely damage a firm’s reputation. Under Principle 10 of the Solicitor’s Regulation Authority (SRA) handbook, law firms within England and Wales have a responsibility to “protect client money and assets”.

With law firms ranked the seventh most frequent target for cyber criminals by CISCO’s last Annual Security Report, law firms are under considerable pressure from both clients and the government to protect confidential information.

We are now seeing clients demand that their law firms implement stringent information security controls, such as those set out in ISO 27001, to protect their confidential information.

ISO 27001

Many law firms are now implementing ISO 27001-compliant information security management systems (ISMSs) to ease the workload of regular audits and better manage their sensitive information. Not only does this prove to their clients that they take information security seriously, it enables them to gain an advantage over their competitors. Top UK law firms that have achieved certification to the Standard include Allen & Overy, Clifford Chance, DLA Piper and Linklaters.

ISO/IEC 27001:2013 sets out the best-practice specifications of an ISMS, a system of managing the confidentiality, integrity and availability of your information assets. Complying with this standard provides your business with a holistic approach to information security – encompassing people, processes and technology – that is recognised worldwide.

Why IT Governance?

IT Governance is a global provider of information security solutions, and has helped over 400 organisations around the world achieve certification to ISO 27001.

We have helped law firms of all sizes (and across multiple locations) achieve their information security objectives through a mixture of tools, training, consultancy and penetration testing, and we can help you, too, with our affordable, fixed-price solutions.

Contact us on 00 800 48 484 484 or at servicecentre@itgovernance.asia to discuss your information security requirements with one of our advisors today.

Free resources: