The Benefits of ISO-27001 for Legal Firms
Is it right for your firm?
What is ISO-27001? Why are you hearing so much about it?
• What problems does it solve? Other benefits?
• What does the process look like?
• How much? How fast? How painful?
• Why is it relevant to the Legal Vertical?
How bad is Your Pain?
• We need to prove to many of our clients that we are “secure”
• We need to prove that many of our service providers keep our data secure
• We need to prove we are compliant with different regulations/standards
• We are struggling with regards to Information Security
What are your issues?
Highly diverse levels of very sensitive data in a single firm
Diverse Client/Vendor Risk Management (VRM) practices
National/International Client Base
International attestation
PII Data Protection laws (EU-DPA, 46 State PII, PIPEDA)
Partner Model can be divergent with F500 security requirements
“Brand” is a priority – Reputational damage is the lingering data breach injury
HIPAA – Covered Entities (CE) are beholden
Business Associate Agreement (BAA) signers are beholden
HIPAA Omnibus Rule
Implicit BAA via data Store, Process, and Transit
Key Impacts
Need to apply the “Principle of Least Privilege”
Document Management System
Develop Breach Risk/Impact Assessment mechanism to mitigate Breach Notification Risk on un-authorized disclosure (even by a lawyer in same practice area)
China-based hackers looking to derail the $40 billion acquisition of the world’s largest potash producer by an Australian mining giant zeroed in on the Canadian law firms handling the deal.
Mary Galligan, head of FBI’s NYC cyber division convened a meeting with the top 200 law firms in New York City last November to deal with the rising number of law firm intrusions.
Should we be thinking about 27001?
“Our recent ISO 27001 and ISO 20000 certifications provide us with a competitive differentiator in the market place. “It also provides us with further validation that our approach to managing service delivery and security risk is comprehensive and effective — an important consideration for our business and customers …”
ISO-27001 will address each of the pain points, differentiate your firm in the near term, and position you to keep/win business with organization with mature Vendor Risk Management programs, and significantly simplify security & compliance
“ISO27001 is an internationally recognized, certifiable, Information Security Standard that formally specifies an Information Security Management System (ISMS) to bring Information Security under explicit management control.”
27001 Benefits:
Reduces the Burden of Compliance
• Reduces Complexity of Dealing with Multiple Standards
• Attest once to a single standard then map to disparate standards
• Inputs now become outputs (HIPAA, NIST/FISMA, PII)
Improved Risk Management
• Applies a structured risk management approach
• Integrates/aligns with corporate ERM
• Greater, more positive exposure to management for CSO/CIO
• Rationalizing budgetary requirements in a language management understands = More Money
Simplifies Vendor Risk Management
