Why law firms should certify to ISO 27001

Law firms are prime targets for cyber attacks, and according to Logicforce’s Law Firm Cyber Security Scorecard, they aren’t helping themselves. Every firm surveyed was targeted for confidential client data in the past two years, and 95% aren’t complying with data governance and cybersecurity policies.

The report also found that 63% of breaches are linked to third parties, and 80% of firms admitted that they didn’t tightly control the information security policies of their vendors.

Given the considerable amounts of personally identifiable information that law firms hold, information security should be a top priority. Many clients are demanding that law firms certify to ISO 27001, the international standard that describes best practice for an information security management system (ISMS).

ISO 27001 is in demand

As law firm Brightflag writes: “Standards such as ISO 27001 have become a must have for any technology vendor for legal departments and law firms. It gives the legal department assurances that the vendor has strong policies, training and active monitoring in place.

“Data encryption, patching, regular staff training, monitoring of access controls: these are all areas that are key to maintaining information security, and yet are still not common across all technology vendors.”

The move toward ISO 27001 has been noticeable in the past year. The CybSafe Supplier Cyber Security Study found that 44% of respondents received requests from their enterprise customers to implement a cybersecurity standard such as ISO 27001, with 28% of these coming in the past year.

Likewise, the ISO 27001 Global Report 2016 found that 71% of respondents said that clients, partners, or suppliers asked them to provide evidence of ISO 27001 certification.

Brightflag advises that “third-party accreditation must be part of your outside vendor checklist of best practices (and if you don’t have a checklist yet, you need to develop one). There are seemingly countless examples of data breaches that might have been prevented had due diligence prevailed during the on-boarding process.”

It adds: “The emphasis is on legal departments to insist vendors provide assurances and compliance requirements during the buying process.”

Benefits of ISO 27001

By certifying to ISO 27001, organizations can:

  • Win new business and retain existing client bases
    Certifying to the Standard proves to clients that an organization is serious about protecting sensitive information. It also demonstrates credibility when tendering for contracts, helps win clients, and strengthens existing client relationships.
  • Avoid the financial penalties and losses associated with data breaches
    ISO 27001 is the accepted global benchmark for effectively managing information assets, helping law firms to avoid costly penalties, financial losses, and client lawsuits.
  • Satisfy audit requirements
    ISO 27001 certification is a globally accepted indication of security effectiveness, negating the need for repeated customer audits and so reducing the number of external customer audit days.

Find out more about ISO 27001

Our free green paper Information Security & ISO 27001: An Introduction goes into more detail on the benefits of ISO 27001. It explains how the Standard relates to ISO 27002 and ISO 9001, the difference between conformity with and certification to the Standard, how the Standard helps you meet your legal and regulatory obligations, and more.

Download Information Security & ISO 27001: An Introduction >>