LegalSEC has a stated goal of aligning the legal community with the ISO 27000 series standards. This is both a worthy and a lofty goal, but it is not something that you can just go and start doing. It takes a lot of planning, hard work and, most importantly, the mandate of the decision makers at your firm to even begin the process. Unfortunately, the concepts of security and standardization are often not in the wheel house of many attorneys, especially at smaller firms where everyone is wearing many hats. Right away, you have met your first obstacle: how do you convince them that you need to align with ISO 27000? This blog will provide some pointers that might help make your case more effective:
Client Requirement
This will likely be the most helpful strategy because law firms are so client service focused. If the clients say you need it, the decision makers are going to listen. Of course, if your clients already require it in order to do business with you, this will be obvious and will probably present itself in the form of an audit and/or an information security questionnaire. All you need to do in this situation is tell your attorneys that if you were aligned with the ISO 27000 series, this will go a lot better next time.
Government Regulation
This usually involves some sort of regulation of the industry your firm serves and is often a driving factor behind client requirements. For example, if your law firm specializes in a field that involves handling medical or financial records, there are many government regulations that make ISO 27000 alignment a key to your success. Clients are held accountable for their vendors (in this case, the law firm) by these regulations, and if you are not able to show that you are aligned/aligning with standards, your regulated clients will take their business to law firms that already have or that are getting their ISO 27000 series certifications.
Return on Investment
Most attorneys are cost conscious, so showing that there is some value added by going through the effort and expense of an ISO certification will also be helpful. The specific culture and business processes of your firm will drive how this argument should be framed. Generally speaking, taking steps towards ISO compliance will help reduce the risk of and mitigate the impact of a breach. Clients will feel better about giving you more work knowing that you are taking steps to secure their information. Having an ISO certification may also mitigate a hit to your reputation if there is a breach – at least you were taking steps to prevent it. Finally, it is no secret that the legal industry has identified this as an industry wide shortfall and many firms are already starting the process. If you are not one of them, you will be left behind.
Subject Matter Expert
A subject matter expert will help make your case as well. Many staff at law firms already have a full work load and probably are not experts at ISO certifications. If you do already have someone with the expertise and bandwidth, they will also need to know the nuts and bolts of implementing such a program and they must have the right personality to convince the decision makers to proceed. If you do not have someone like this on staff already, consider hiring a contractor or bringing someone in-house from the audit industry.
Attorney Champion
Identifying an attorney within the firm to champion your cause to the decision makers will also help to further your cause. If there is an attorney within your organization who has shown an interest in ISO certifications and/or wants to add something to their resume to help them along the partner track, they are a prime candidate for this role. Having someone like this in your corner will help give your cause legitimacy and political clout within the firm.
In summary, the first step in becoming ISO certified is to convince your firm that you need to do so. Using the advice above may help to convince them. This can be a challenge by itself, but if you succeed, it will be only the first of many challenges.