Like what you see so far?

Sign up for our newsletter and get great content delivered straight to your inbox.

Client Story

Canadian Law Firm Passes ISO/IEC 27001:2013 Certification with Flying Colours

Keeping client data safe is a concern for all businesses. When it comes to the legal profession, that concern is especially well founded.

Law concept with gavel and Themis in background. Composition in court library

Law Firm

Canada

Law

Objective

Implement an ISMS and become one of the first law firms in Canada to achieve ISO/IEC 27001:2013 certification.

  • Implemented security management policies and procedures entailing an internal audit program, set up of a management committee, and development of a process for ongoing continuous corrective action
  • Successfully achieved ISO 27001 certification, passing both stages of the ISO audit process
  • Scalar Security & Risk Advisory Consulting Services

Keeping client data safe is a concern for all businesses. When it comes to the legal profession, that concern is especially well founded. Law firms handle a massive amount of sensitive data and intellectual property, meaning clients look for every assurance that controls are in place and information is protected. ISO/IEC 27001:2013 certification is the information security management system (ISMS) gold seal of approval, demonstrating the holder of this designation has gone through a formal, rigorous, and ongoing audit process. One leading, national law firm recently embarked on the audit process, leveraging Scalar expertise along the way.

ISO 27001 is a collection of activities concerning the management of information risks and entails building an information security program the organization follows to identify, analyze, and address information security risks. ISO 27001 requires that management systematically examine information security risks, design, and implement security controls, and adopt a management process to ensure security controls are continuously met.1

Approach

Threat Risk Assessment

The firm engaged Scalar to implement an ISMS which would pave the way to certification. An initial threat risk assessment conducted prior to the certification process provided a baseline and highlighted gaps in the firm’s security posture. During the risk assessment process, key information assets were identified and given a sensitivity rating based on the confidentiality, integrity, and availability requirements of the data. Next, risk scenarios were documented and the impact and likelihood of each scenario was rated, thus providing an overall determination of the information security risks for the firm. Detailed reporting with recommendations for remediation were provided.

ISO 27001 Certification Preparation

With the threat risk assessment completed, the firm was ready to begin the demanding process of preparing for the certification audit. In phase one of the certification preparation, the team reviewed and customized the firm’s security policies, tailoring them to the legal environment. After the documentation review, a governance structure was implemented, employing a committee to oversee all information security tasks and annual program deliverables. Throughout a five-month timeframe, Scalar security and risk assessment experts worked with the firm to document meetings and develop metrics, eventually training the firm to take full ownership of the process. An internal audit was conducted to ensure the team was ready for the external certification audit.

To run a successful security program, the organization must understand what is required of them on a monthly, quarterly, and annual basis.

Anthony Khan

Senior Consultant, Cyber Risk at Scalar

Challenges

Knowledge Transfer and Training

Implementing an ISMS and achieving certification is not without its challenges. It requires significant executive buy-in and culture shift across the firm. During the implementation of the program, Scalar met with the managing directors to provide an overview of ISO, illustrating how the program would impact lawyers, administrative staff, and operations. “We helped them understand what risk management is and the core processes that must be performed,” said Anthony Khan, Senior Consultant, Cyber Risk at Scalar. Understanding concepts and practices is crucial – “to run a successful security program, the organization must understand what is required of them on a monthly, quarterly, and annual basis.”

Outcome

Scalar was able to implement the security management structure and the law firm passed both audits with flying colors. Auditors seek evidence to confirm the ISMS has been properly designed and implemented, and is operational. “We had absolutely no compliance issues,” said Benjamin Li, Senior Consultant, Information Assurance at Scalar. “That is virtually unheard of.”

Results

  • Implemented the security management structure
  • Helped the law firm pass both audits with flying colors
Need Help?

Speak To An Expert

1-866-364-5588

Samyul.Yoo

How can we help?

We love talking about this stuff so if there's something on your mind and you're not sure how to go about executing it, set up a conversation with one of us.