Keeping client data safe is a concern for all businesses. When it comes to the legal profession, that concern is especially well founded. Law firms handle a massive amount of sensitive data and intellectual property, meaning clients look for every assurance that controls are in place and information is protected. ISO/IEC 27001:2013 certification is the information security management system (ISMS) gold seal of approval, demonstrating the holder of this designation has gone through a formal, rigorous, and ongoing audit process. One leading, national law firm recently embarked on the audit process, leveraging Scalar expertise along the way.
ISO 27001 is a collection of activities concerning the management of information risks and entails building an information security program the organization follows to identify, analyze, and address information security risks. ISO 27001 requires that management systematically examine information security risks, design, and implement security controls, and adopt a management process to ensure security controls are continuously met.1
Threat Risk Assessment
The firm engaged Scalar to implement an ISMS which would pave the way to certification. An initial threat risk assessment conducted prior to the certification process provided a baseline and highlighted gaps in the firm’s security posture. During the risk assessment process, key information assets were identified and given a sensitivity rating based on the confidentiality, integrity, and availability requirements of the data. Next, risk scenarios were documented and the impact and likelihood of each scenario was rated, thus providing an overall determination of the information security risks for the firm. Detailed reporting with recommendations for remediation were provided.
ISO 27001 Certification Preparation
With the threat risk assessment completed, the firm was ready to begin the demanding process of preparing for the certification audit. In phase one of the certification preparation, the team reviewed and customized the firm’s security policies, tailoring them to the legal environment. After the documentation review, a governance structure was implemented, employing a committee to oversee all information security tasks and annual program deliverables. Throughout a five-month timeframe, Scalar security and risk assessment experts worked with the firm to document meetings and develop metrics, eventually training the firm to take full ownership of the process. An internal audit was conducted to ensure the team was ready for the external certification audit.
To run a successful security program, the organization must understand what is required of them on a monthly, quarterly, and annual basis.
Knowledge Transfer and Training
Implementing an ISMS and achieving certification is not without its challenges. It requires significant executive buy-in and culture shift across the firm. During the implementation of the program, Scalar met with the managing directors to provide an overview of ISO, illustrating how the program would impact lawyers, administrative staff, and operations. “We helped them understand what risk management is and the core processes that must be performed,” said Anthony Khan, Senior Consultant, Cyber Risk at Scalar. Understanding concepts and practices is crucial – “to run a successful security program, the organization must understand what is required of them on a monthly, quarterly, and annual basis.”
Scalar was able to implement the security management structure and the law firm passed both audits with flying colors. Auditors seek evidence to confirm the ISMS has been properly designed and implemented, and is operational. “We had absolutely no compliance issues,” said Benjamin Li, Senior Consultant, Information Assurance at Scalar. “That is virtually unheard of.”