In Industry Insights

It’s no wonder that the accreditation bodies are seeing an uptick in the number of law firms exploring ISO27001. Cybercrime has reached industrial scale and law firms are a prime target.

It is a huge regulatory risk and always ranks highly on the SRA’s Risk Outlook. Marcus Allen of Thamer James explains more.

What is ISO27001?

It is the International Standard for information security. Its forerunner was BS7799 which was used in the late 1990’s through to the mid-2000s. It is recognised the world over as the premier information security management Standard. It has one hundred and fourteen control headings which cover a wide range of security topics. A practice selects the appropriate and applicable controls from Annex A of the Standard.

The Standard is applicable to all organisations within the UK. It can be assessed by an independent UKAS certification body such as BSI, SGS, DNV or LRQA.

GDPR compliance

In 2019 ISO27701 Privacy Information Management requirements was issued. This allows independent assessment of an organisation’s controls for managing personal information. It is audited as part of ISO27001 as an annex. This allows a practice to demonstrate not just sound information security controls but excellent data protection protocols.

Relevance to Law Firms

The Law Society advocates ISO27001 for the enhancement of information security. In a world of complex data security threats, it is prudent for a law firm to take a holistic approach and align its entire operations against the best in class Standard for data security, thus reducing risk and exposure to fines.

Law firms have suffered with phishing email campaigns and have seen some data security breaches with clients. By adopting ISO27001 a law firm will reduce overall exposure to malicious attacks whether cyber or dishonest operatives. By using the powerful armoury of the hundred and fourteen controls, robust responses will be established reducing overall risk.

Some customers now require ISO27001 compliance as a contractual requirement. It may also be beneficial when renewing professional indemnity insurance.

Law firms hold personal and sensitive data, not to mention client money. The loss of which would result in potential fines from the Information Commissioner’s Office and possible loss of brand reputation as a consequence.

How to go about ISO27001 accreditation

It’s worth saying that ISO accreditation is never a walk in the park. It’s usually a project involving every part of the business. For that reason, many firms “work towards” the standard for a long time before going for accreditation.

But the benefits certainly outweigh the work involved. Firms can operate safe in the knowledge that they are taking all reasonable steps to protect data.

A free initial survey with a qualified Systems Security Practitioner will identify the size and scope of the project. This takes approximately two hours and results in a short report identifying areas of strength and weakness.

Once the survey is complete, we offer a small ISO27001 practice scheme for law firms. This includes a simple to navigate portal to house the ISO27001 (if required) plus your information security programme, with policy templates and procedures.

Should you wish to move to external assessment from a premier UKAS approved certification body, we can help with selection, audit and preparedness of your system for external examination.

Contact Us for more information.

Recent Posts

Start typing and press Enter to search

Get your FREE COLP Insider email delivered fortnightly

We’ll never share your email address and you can opt out at any time, we promise


law firm toxic culture SRA guidanceEssential SRA sanctions information for law firms