ISO 27001 and what it has to do with the law industry


August 9th, 2023


4 min read.

Cyber Security is a familiar term in today's day and age (as it should be!) and one particular industry that is coming under increasing scrutiny from their clients,  is the legal industry. 

As society becomes more aware of the gravitas and potential consequences of a data breach, they’re beginning to demand their legal representatives take all necessary precautions in order to protect their data from a potentially devastating data breach. Data breaches/losses can be catastrophic to any organisation due to potential financial losses, or worse, damage to reputation. 

Law firms in particular, are at risk of a cyber breach due to the sheer volume of highly sensitive data they process and or hold on behalf of their clients (and staff!). 

This article is focussed on the gold standard in information security: ISO/IEC 27001:2022, and seeks to provide legal professionals a more in depth understanding of the standard and how it may benefit them/their organisations and chambers. 

Now some in the legal profession may be familiar with ISO 27001:2022 due to several of the managed service providers (MSP’s) that provide support to legal firms having already gained their certification, or from other vendors flaunting their certifications. But does the average barrister/solicitor actually know what it shows and why it's something to be proud of? 

What is ISO 27001?

ISO 27001 is an internationally recognised standard for protecting and securing an organisation's information assets. Information is, for any business, an essential and extremely valuable asset that must be protected. Whether it’s client files; financial records or employee data (for example) the information that your business uses is the very essence of your business. 

The Standard itself delivers very high thresholds for managing and protecting the confidentiality, integrity and availability of an organisation's information assets. ISO 27001 certification requires the implementation of  a compliant Information Security Management System (ISMS). These systems also support evidence of compliance with the General Data Protection Regulation (GDPR).

Although the process of obtaining the certification is rigorous, law firms will benefit hugely from having an extensive run through of all their security practices. The auditing process will tease out any holes in a firm's infrastructure meaning:

  1. The holes can be patched before they are found by someone with malicious intentions

  2. The firm can leverage its  information security management systems to make it more attractive to their clients, or potential clients, concerned about confidentiality

How does implementation work?

Implementation of an ISO 27001 compliant ISMS looks different for every organisation and every consultancy has its preferred methodology. However, it should always boil down to one very important question: What are we trying to solve?

If you decided to work with ADL Consulting for example: we would start by looking at the organisation's information security related risks, deciding whether or not to accept these risks, and if we don’t accept them then what we are going to do to treat those risks. 

Having identified said risks, the next steps involve writing a set of policies starting with the ISO required documentation; then those that address the pre-identified risks and answer our “what are we trying to solve?” question; then starts the process of integrating these policies and standards into everything the organisation does - this way of working should be a help and not a hindrance

Once all of this is said and done, the organisation can then put itself forward to be audited. This involves a certifying body sending someone/a team out to pick this system to pieces in order to establish whether or not the system is robust and thus providing the organisation sufficient protection against information/data breaches. 

And finally, the auditor (if they’re happy) will recommend the organisation for certification!

There is then some upkeep involved (of course) to maintain the certification involving regular check ins/internal audits, and then organisation’s must be recertified after 3 years (less stressful because as long as the system was maintained - organisations have little to worry about here).

Next steps…

Now if all of that sounds like something you 

  1. Think your organisation needs and want more information,

  2. Know your organisation needs and want to get cracking with…

Then please get in touch and we can produce a bespoke quote in order to meet the organisation's needs, wants and timeline.

We look forward to hearing from you.

Andy Larkum

Managing Director

Registered Office: 6 Hinckley Road, Ibstock, Leicestershire, LE676PB, UK

Company Registration No: 06684621

VAT No: 140 0539 56

© ADL Consulting Ltd 2023. All rights reserved.