Why ISO 27001 certification is important for law firms

19
May
2014

Gillian Walton

Obtaining ISO 27001 certification provides your law firm’s clients with the reassurance you are dealing with their information securely. A law firms “product” is the information it provides to their client. You need to protect your product to protect your client. Most stores these days have detectors fitted at their entrances to sound an alarm in the event of theft. If stores put controls in place to mitigate the risk of their products being stolen, then law firms should do the same; ISO 27001 is like the detector at the entrance of a store, it is a way a law firm can protect their information, or their product. 

The lock on your front door is the most basic control you put in place to secure your home and its contents. Would you leave the front door to your home unlocked every time you left the house? The alarm you install in your home is a further defence you put in place to mitigate the risk of burglary. Would you ignore the sound of your house alarm? So a law firm will naturally have firewalls, antivirus, and a security man at the main entrance, essentially the keys to the front door but taking the extra steps to obtain ISO 27001 certification is like the security alarm. It mitigates the risk of intruders, hacking or stolen data, for example, providing controls that will alert the relevant team in the event of an incident. 

We have constant access to information and movement of data at any time of the day, but how can we find out about it when we don’t know about it? How can we search for “fishing” on the internet if we don’t know it’s actually spelt “phishing”? By implementing the ISO 27001 standard, it raises the awareness of the importance of information security within the firm. These messages need to be communicated via a training and awareness programme. Providing presentations, messages on the intranet, posters and incorporating into new joiner training are examples of what could be included in the programme. The firm will soon know about phishing, the importance of shredding confidential information or being aware of your mobile phone conversations in public. In a recent survey Security Awareness Training Survey by Enterprise Management Associates (EMA) and sponsored by Security Mentor revealed “56% of employees still receive no security awareness training”. This highlights a huge gap where education is vital and therefore putting firms at risk. The training and awareness programme needs to be integral to all areas of the business and become standard practice.  

The ISO 27001 standard covers both hard and soft data. The majority of a law firm’s information is provided electronically and immediate instinct tells you ISO 27001 is an IT project. But what about the hard copy case file left on the train by mistake? What about the 20 years’ experience the top performing lawyer has gained contributing to the slick performance of their award winning department and decides to leave? Have employees undergone the correct employment checks? Are they following policy? What about the person who tailgated into the building and got to the 3rd floor undetected? These are just some examples of issues that demonstrate information is stored in various formats, not just electronic or hard copy but also intellectual property. Therefore this shows it is not just an IT project. It needs all areas of the firm HR, Facilities, Risk and Compliance, Finance and Knowledge Management including lawyers and their support staff. Pulling expertise from various departments makes gaining certification a lot easier and essential to ensure firm wide data security. Input and decisions from departments other than IT ensures issues are addressed appropriately. 

What else do you need to do?

One of the most important elements to obtaining ISO 27001 certification is management commitment. Messages from senior management, the Board or the Managing Partner, for example, demonstrates to the rest of the firm information security is being taken seriously. Information security should be on the agenda of every board meeting ensuring decisions are being made at a senior level. Management commitment is also demonstrated through the approval of new policies. Publishing policies that relate to information security illustrates the firm are making informed decisions about how they want to tackle these issues and provides direction to the rest of the firm. Through releasing policies in conjunction with training and awareness programs subtly, but effectively, encourage a secure culture. 

Analysing your risk register allows the firm to establish their information security weak points and strong points. This gives teams the opportunities to build on their actions to mitigate risk and in some cases reduce the impact significantly. The journey towards ISO 27001 certification, can highlight new areas of risk where controls may be required that have previously been over looked.  In the 2013 Annual Law Firms’ Survey conducted by PWC Legal it was reported “over one-quarter of respondees to our survey have yet to carry out a security risk assessment covering both Information Security and Physical Security”. Without knowing the risks and what needs to be done to mitigate them the firm leaves themselves open to attack. Additionally, the risk assessment shows the SRA the firm is fully aware of its own risks and are doing as much as they can to protect their client’s data.

Management support, approval and acceptance of policy and procedure, a training and awareness programme and analysing the risk register are the starting points of establishing a management system. The management system is the core element of the standard. It provides structure and control, allowing the firm to react to issues in a controlled manner; to be proactive when addressing weaknesses and strive for continual improvement. The management system essentially underpins a law firm’s obligations, primarily, duty of care to its clients. 

Clients like to know their data is secure and safe. Even though ISO 27001 certification is not a legal requirement for a law firm to obtain, like the detectors at the entrance of a shop or the alarm fitted to your home, it does provide controls and guidance that will protect a law firm’s information. The sound of the alarm if someone attempts to remove a product from the store or a house alarm alerting its neighbours are recognised sounds that something is not right and therefore action needs to be taken. By being proactive the store owner and home owner have put controls in place to prevent any future loss, and ISO 27001 is a broad control that a law firm can put in place to be proactive. Clients are demanding more and more evidence from their law firms they are protecting their data, they are increasingly requesting the reassurance their information will be safe. Having ISO 27001 certification makes this easier to prove and facilitates transparency to clients.