ISO 27001 information security certification is quickly becoming the de facto standard across law firms. It is the standard supported by ILTA / LegalSec and some of our major client industries including Financial. It has the nice feature that you can actually get certified to the standard by a third party auditor. The standard contains a healthy dose of absolute requirements yet is risk focused to allow your firm to prioritize its biggest areas of exposure. Best of all, once certified you have not just a piece of paper, but an ongoing Information Security Management System which will help you to improve security on an ongoing basis.
Deciding whether certification is right for your firm is the first step. The attached presentation is designed for you to learn and communicate the benefits and process of ISO 27001 to your firm. The process involves deep involvement from IT and broad involvement from a range of groups including Physical Security, Human Resources, Electronic Discovery, and Senior Management. You may find this useful in gauging their interest and getting their involvement.
Even if you choose not to get certified, you may find it useful to adopt components of ISO such as a Risk Management Framework. Aligning to the ISO 27002 list of controls may help you with client audits since many of them appear to draw from this base.
Feel free to rip, re-skin, reuse whatever you find useful and make it your own. If you have suggestions for ways to improve it, we’d love to hear from you. If you actually start a certification project or get certified, let us know so we can include your firm in the presentation.#LegalSEC
Thanks to Jeffrey Franchetti (Cravath, Swain & Moore LLP), Timothy Golden (McGuireWoods LLP), and John Verry (Pivot Point Security) for collaborating with me on the presentation.