Follow Us

An article by Sue Pellegrino, The Importance of ISO Certification for Law Firms, was published in the May 2022 issue of Cybersecurity Law & Strategy. If you haven’t had a chance to read it yet, check it out! Read below for the full article:


The Importance of ISO Certification for Law Firms

Cybersecurity is one of the most critical issues in the business world today. Security breaches continue to grab headlines, and law firms have not been spared from the relentless efforts of hackers. Due to the massive amounts of sensitive and confidential data that law firms have in their possession, it is important to have the right security measures in place to thwart such breaches and remain successful in today’s busy, data-driven legal market.

The International Organization for Standardization develops and publishes widely recognized global security standards and offers security certification for businesses in nearly all sectors, including the law. ISO certification is not just a critical way to ensure your firm’s security; it’s increasingly important for any firm that wants to maintain a competitive advantage in today’s legal market.

What ISO Certification Means and How to Obtain It

Deciding to get your ISO certification is a move that demonstrates an undeniable commitment to security. It shows your clients and others in the industry that you’re serious about making sure you have the most secure atmosphere for the data you handle. It’s also a sign that you’re willing to take the necessary measures to have robust systems and security policies and procedures in place and also that you’ve implemented companywide training on them.

Getting certified is a time-intensive process – typically taking nine months to a year if you’re focused and committed. The first step is assessing your current atmosphere, data, systems and protocols to determine how secure you currently are and where there might be loopholes in your security that you’ve missed. It’s a good idea to work with a consultant from the beginning of the certification process, because outside eyes typically have a better ability to see the realities of your current security posture.

Once you have determined your current posture and the issues you might want to address, it’s critical to get your leadership on board. Your C-suite and partners will be crucial to successfully rolling your new security initiatives out to the rest of the firm. Next comes the meat of the work, where you plan and then implement your new security policies and procedures and train your workforce, ideally again with the help of your consultant, who will then rigorously test the measures you’ve implemented to ensure that they work and are achieving your desired results.

Testing is crucial, because it’s the only way to know that you’re properly following your policies and procedures and all your users understand the ramifications if they don’t adhere to necessary security steps. If anything fails during your internal testing, now is the time to go back and fix it.

The goal is to have everything in line before you’re formally audited to receive your ISO certification. If the ISO auditor does find either minor or major infractions – which is common – you must implement a corrective action plan. Only when you prove that you’ve corrected the infractions can you finally obtain ISO certification. The relevant certification standard for law firms is ISO 27001, pertaining to information security management, and your consultant can guide you through all the certification requirements for that particular standard in minute detail.

The Risks of Not Getting ISO Certified

Given the financial and time commitments involved in obtaining ISO certification, many firms might question whether it’s truly worth it. The short answer? It is. As a company that has gone through the rigorous work of becoming ISO certified, we can definitively say that it’s an important, and even crucial, step for law firms to be taking now.

For starters, as cybersecurity continues to be front and center in the legal industry and its importance only increases year to year, law firms will eventually have no choice but to be certified. If they haven’t already, your corporate clients will be highly stressing security and demanding that you show a concrete commitment to it. In fact, many companies are now using security as a key measure in evaluating outside counsel while making hiring decisions.

“The value of ISO 27001 certification for a law firm cannot be overstated,” explains John C. Brooks, chief information officer at Potter Anderson & Corroon LLP in Wilmington, Delaware. “The policies, processes and procedures help the firm, and our clients, to ensure the security of the data managed. ISO provides numerous benefits in terms of the ability to respond to security questionnaires from our clients, and it inspires confidence in the firm’s commitment to information security, which is a competitive advantage.”

Of course, ISO certification is not the only way to show a commitment to security, but it’s widely recognized across industries as the standard. When potential clients are analyzing your security, it’s a specific factor that they’re likely to look for. They want to know that their data will be safe with you because you not only have the necessary internal controls, but those internal controls have been rigorously tested and audited by today’s gold standard security organization.

Therefore, making sure your security is buttoned up is crucial to the success of your business and a major factor in maintaining a competitive advantage. As the security landscape continues to evolve, certification will only become even more important.

Cybersecurity is one of the biggest trends in law and business today, and it won’t be going away anytime soon. The time to start the ISO certification process is now, so you can show your commitment to not just your own data and processes, but those of your clients. Increased security measures are no longer a luxury; they’re a necessity for everything from your IT function to achieving your business development goals.

About the Author:

Sue Pellegrino is the owner and president of Everest Discovery, a leading national litigation support and eDiscovery provider, and ISO 27001 certified company.

Reprinted with permission from the May 2022 edition of the Cybersecurity Law & Strategy © 2022 ALM Global Properties, LLC. All rights reserved. Further duplication without permission is prohibited, contact 877-257-3382 or [email protected].


Check out the recent blog post on this topic – The Six Steps Law Firms Need to Take to Become ISO Certified.