The 6 Steps Law Firms Need to Take to Become ISO Certified
By Mihir Mistry and Sue Pellegrino
In a world where cybersecurity is a critical, ongoing concern, law firms need to be doing everything they can to protect the vast amounts of sensitive and confidential information they possess. We’ve already seen major law firms fall victim to the devastating security breaches at the hands of sophisticated hackers.
Now is the time for law firms to show their commitment to keeping their client data secure. The International Organization for Standardization currently develops and publishes the most highly respected international security standards and offers certification for law firms that want to demonstrate their commitment to security. ISO certification is a time-intensive process, but one that is worth it for the peace of mind and competitive advantage it offers.
What Is ISO Certification for Law Firms?
An ISO certification is a signal to your clients and others in the industry that you’re serious about security and dedicated to creating the safest environment for the data you handle. The relevant certification standard for law firms is ISO 27001, pertaining to Information security management.
As cybersecurity concerns continue to increase, more and more of your clients will be looking at ISO certification as a key measure in evaluating outside counsel hiring decisions. Therefore, ISO certification is not just a valuable component of security, it’s also increasingly a requirement for maintaining a competitive advantage in a tight legal market.
The Steps to ISO Certification
Obtaining your ISO certification is a process that typically takes nine months to a year. In that time, Zaviant will guide you through the following six steps to ensure that the process goes smoothly.
Step 1: Discover
The first step is to develop your organizational content. This starts with a current state analysis, where you assess everything in your security environment – including your people, process and technology. The goal is to get a realistic picture of how secure you are now and where you can stand to make improvements.
Step 2: Plan
After you know where you stand, you need to establish a clear plan for where you need to get in order to be ready for certification. This includes defining the scope of your activities and creating a Statement of Applicability that makes clear how you’ll treat any risks you’ve perceived in your security, including the processes, systems and stakeholders involved. It’s critical to have your leadership on board if your plan is to succeed.
Step 3: Do
A few months of your certification process will involve implementing the measures and procedures necessary to meet ISO 27001 standards. This includes developing a clear security manual for your firm, training your workforce on that manual and reviewing their activities. You’ll also be implementing a vulnerability and penetration testing program designed to internally spot and exploit any security vulnerabilities that still exist, which mimics formal vulnerability and penetration testing that will be later performed as part of the ISO 27001 certification process.
Step 4: Check
After you’ve implemented and reviewed your new security measures, it’s time to truly put them to the test. ISO 27001 is designed to certify that your firm’s information security management system is effective for your firm’s purposes and potential risks. Therefore, you need to conduct an official ISMS review to make sure your objectives remain appropriate and that you’re meeting them. We conduct this review by monitoring and analyzing key KPIs in a sophisticated metrics dashboard.
Step 5: Act
The final step before you turn things over to an external auditor is to conduct a strict internal audit to confirm that you’re properly following your new policies and procedures and that you have an organizationwide understanding of the ramifications for failing to do so. If anything fails your audit, now is the time to take care of any leftover remediation steps.
Step 6: Certify
The last step is to undergo an official audit led by an external auditor. The Stage 1 Audit reviews your management system documentation, and auditors will evaluate your security conditions, KPIs, processes, procedures and more. If you pass Stage 1, the Stage 2 Audit evaluates whether your processes are in compliance with your management systems. If errors are found, you’ll have a chance to correct them. Once you successfully pass the Stage 2 Audit, you’ll obtain ISO certification.
Showing a serious commitment to security, and specifically obtaining ISO certification, is critical to remaining competitive in today’s legal market.
Check out an article from the May 2022 issue of Cybersecurity Law & Strategy on this topic – The Importance of ISO Certification for Law Firms.
About the Authors:
Mihir Mistry is the vice president of security and operations at Zaviant Consulting, a leader in cybersecurity, data privacy and compliance consulting.
Sue Pellegrino is the owner, president and CFO of Everest Discovery, a leading national litigation support and eDiscovery provider.