Leveraging information security standards in law firms: the increasing popularity of ISO 27001 in the legal industry

Information is the most valuable asset within a law firm and keeping this information secure is paramount to clients and firm leadership. ISO 27001 provides a framework to better protect information from an increasing variety of threats including fraud, cyber-attacks, inappropriate access and data leakage. Certification helps firms:

• Avoid penalties
• Protect their brand and reputation
• Ensure a secure exchange of information
• Foster stakeholder (client) loyalty and trust
• Achieve regulatory compliance, and
• Minimize the efforts of client security audits.

Executive summary

As reports of data breaches, cybersecurity attacks and hacking continue to rise across the globe, many organizations (especially those in heavily regulated industries such as financial services and healthcare) are more closely reviewing how their data is managed, protected and stored – both internally and externally with third party vendors. Because law firms are in possession of highly confidential client data, they are identified by many – including the FBI — as prime targets for security incidents. Verizon’s General Counsel Craig Silliman asserted his belief in their recently published 2015 Data Breach Investigations Report that law firms are prime targets for hackers, stating “Law firms hold a lot of sensitive documents about their clients. They are not just potential, but likely, targets for those looking to find sensitive information. We think it’s very important that law firms look at the threat environment and make sure their systems are up to standard.” (Edwards, 2016)

Clients from multiple industries are examining how their outside counsel protects information across their enterprise – not just within their technology, but also through their policies, procedures and the actions of their employees. As firms continue to be subject to security questionnaires and onsite audits, more consideration is being given (both by the client and by the law firm) to obtaining ISO 27001 certification as a means to validate their security profile. As an added benefit, some law firms leverage ISO 27001 certification as a competitive advantage. As of March, 2016, ILTA identified 30 firms (60 percent being AmLaw 100 firms) that are ISO 27001 certified and 55 more working towards or investigating certification. (Costello, 2016) Another survey performed in 2015 reflects that of the Global 100 firms, 30 firms reported ISO 27001 certification, 17 are actively pursuing certification during 2016 and 39 are investigating the process.

While certification is an increasing trend in law firms, such a decision is not being taken lightly, and certainly some are choosing not to become ISO 27001 certified. ISO 27001 certification can be a costly initiative to undertake and one that requires the attention and time of many individuals within the firm. Additionally, it can be challenging for a firm to measure the benefit of being certified, as not all clients demand the same level of security controls. It is also difficult to determine, at present, whether having ISO certification is a competitive advantage for a law firm over a firm that is not certified but has a very credible security program.

This paper defines ISO 27001 certification, illustrates various approaches to achieve certification, describes benefits and challenges with the certification process and identifies the direct linkage between ISO 27001 and Information Governance (IG) as a discipline. Information security must be a top priority whether or not a firm decides to pursue ISO certification. While ISO certification is not the only means to protect client and firm information, it is an approach worthy of very strong consideration.

Introduction

Many firms specify an individual or team dedicated to information security, and are often required to identify such a person(s) as part of a client audit. However, it is important to note that ISO 27001 addresses security in virtually all aspects of a firm: people, operations and technology, and as such, reinforces the motto that “security is everyone’s responsibility.” As many IG departments support a very similar motto for their own initiatives, this paper should resonate across many disciplines, including:

• Information Technology supports the firm’s overall infrastructure and systems in which data is stored, accessed, exported, imported and more
• Information Security/ Operational (“Physical”) Security identifies, implements and monitors cyber and physical activity which could create risks for data loss or exposure
• Information Governance and/ or Records Management ensures data is effectively identified, stored, accessed, secured, retained and disposed throughout its lifecycle
• Legal/Risk/Professional Responsibility/General Counsel identifies the firm’s level of risk tolerance and the consequences the firm has faced or may face with past/ future data breaches
• Human Resources confirms personnel are background checked and educated regarding proper security controls, etc.
• Business Intake identifies which clients require stricter security controls on their data
• Marketing monitors client demand and industry trends regarding data security and its importance in outside counsel selection
• Procurement identifies resources and costs required to obtain certification as well as firm vendor’s ability to comply
• Senior Management are key decision-makers and stakeholders for significant undertakings such as ISO certification

ISO 27001 Certification

Many law firms have obtained, or are in the process of obtaining, the International Organization for Standardization and International Electrotechnical Commission (ISO/IEC) certification (referred to as ISO). ISO/IEC 27000 series standards incorporate continuous feedback and improvement activities, along with an iterative “plan-do-check-act” (PDCA) approach. ISO 27001 specifically provides an Information Security Management System (ISMS) set of standards that are high level yet applicable to all types and sizes of organizations. The ISO 27001 ISMS is one of the few security frameworks that mandate specific requirements for which an organization can be formally audited and certified compliant. Often referred to as the “Standard,” ISO 27001 is both technology and vendorneutral. The ISO ISMS includes recommendations for organizational structure, policies, planning activities, responsibilities and procedures for a structured approach to information security (Calder, 2010).

Challenges and Opportunities to Becoming ISO 27001 Certified

Challenges

Challenges in pursuing ISO certification include obtaining buy-in and engagement from stakeholders such as firm management, key practice groups and executive teams. This expands to engage the appropriate business partners in order to ensure a firm has the necessary support for a successful project implementation. Resources and time from key business partners become a significant challenge for any new initiative and ISO certification is no different. Attorneys may be resistant to new policies or procedures that must be implemented, especially those who do not have clients enforcing higher security measures from their law firms. In addition, staff members involved in the certification process may be overwhelmed by the corresponding time requirements, especially if they have conflicting projects and priorities. The initial investment in ISO certification requires dedicated executive and staff time, coupled with the right people to have on the internal and external consulting teams. Additionally, the firm must have a robust change management program to ensure those who are otherwise resistant or concerned about the impact thoroughly understand the intended benefit of becoming ISO 27001 certified.

A firm needs the following groups to take an active role in the ownership and success of the initiative:

Chief Operating Officer (COO)

• leads executive team support of major initiatives
• owns security organization, sets roles and responsibilities
• approves capital expenditures

Chief Marketing Officer (CMO)

• leads security-focused marketing efforts to clients through Request For Proposal (RFP) responses
• brands security initiatives for the firm internally and externally

Chief Financial Officer (CFO)

• oversees financial support
• leads analysis of claims cost and cyber-premiums

Chief Information Officer/ Chief Technology Officer (CIO/CTO) 

(* CIGO/CISO functions could fall under the responsibility of the CIO/CTO. Separation of Duties in accordance with ISO should be considered.)

• owns security tools, applications, network, help desk, IT training and access rights

General Counsel/Risk Partners

• review, approve and endorse necessary policy and procedures
• sets example and endorses security awareness and compliance efforts

Chairman/Managing Partners/ Practice Group Leaders

• provides “top-down” management support of security programs, policies/procedures
• requires all firm participation in security program

It should be noted that roles are dependent upon firm size and structure. Please refer to the LFIGS Report, “Evolving Role of Information Governance Professional” for additional information.