Information security management remains a serious issue for the legal sector, with law firms reporting an increase in targeted attacks in 2018. Large volumes of client funds and confidential information are irresistible to cybercriminals, so it is unsurprising that 60% of law firms reported that they had suffered a security incident during the year (PwC Law Firms’ Survey 2018).
Leading law firms are tackling cyber threats head-on with ISO 27001, the international standard for information security. By implementing a best-practice ISMS (information security management system) and certifying to ISO 27001, management teams can safeguard their firm. With cyber attacks on the rise, data protection should be a high priority for all law firms.
ISO 27001 certification is increasingly demanded of law firms when tendering for major projects. Achieving accredited certification to ISO 27001 will put your firm in the running for these tenders and demonstrates that you are committed to protecting your clients’ confidential data.
What is ISO 27001?
ISO 27001 is one of the most popular information security standards in the world, with certifications growing by more than 450% in the past ten years. It sets out the requirements for an ISMS, which is a systematic approach to information security focusing on people, processes and technology that helps you protect and manage all your organization’s information through effective risk management.
Be proactive with your firm’s information security
PwC’s 2018 survey found that 46% of law firms had a security incident related to their own staff where the firm had suffered a loss or leak of confidential information. When asked about IT disaster recovery, only 27% of respondents were very confident that their testing had completely demonstrated that their firm’s end-to-end operable services could be recovered in accordance with business recovery requirements. The survey results indicated that, in the event of a serious incident, some law firms might not be prepared to respond appropriately.
Since the GDPR (General Data Protection Regulation) came into force in May 2018, all organizations are legally required to report certain types of personal data breach to the ICO (Information Commissioner’s Office) within 72 hours of becoming aware of the breach. This makes it essential for law firms to ensure that they can promptly identify and understand the nature and scale of any breaches.
Since employees can jeopardize your firm’s security with a single moment of carelessness, it is clear that addressing information security risks is about far more than simply implementing processes and installing anti-malware and antivirus software. A more proactive approach to information security is needed, and this should include ensuring that all members of the firm are adequately trained.
How will my firm benefit from ISO 27001?
- ISO 27001 can help your firm protect the confidentiality, integrity and availability of your firm’s information assets, as well as those of your clients.
- It helps you meet your legal and regulatory data protection obligations while improving your firm’s cybersecurity posture and productivity.
- Your firm can achieve independently audited certification to the Standard when you implement an ISO 27001-compliant ISMS, demonstrating your firm’s information security credentials to clients, stakeholders and regulators.
- Following certification to the Standard, you can specify that your key suppliers also achieve certification, ensuring that these third parties also maintain suitable levels of security. This supports GDPR compliance.
- Your firm will be in good company: approximately 40,000 organizations around the world – including numerous law firms – are already certified to ISO 27001.