Case Closed: 3 Benefits ISO 27001 Can Have for Your Law Firm

May 25, 2017 Scott Zelko

When you think of a data breach, what comes to mind? It’s probably the image of a hacker stealing data from a large business or company that stores an abundance of customer data—like Target, for instance. Data breaches are expanding from companies and healthcare organizations and are also becoming a real concern for law firms.

Last summer, the computer networks of some of New York’s most prestigious law firms were hacked, leading to an FBI investigation. This is a growing trend among hackers, as they are obtaining sensitive client information, which leads to insider trading and other financial crimes as well.

According to ThreatPost, high-powered law firms have personal identifiable information of executives whose email and personal data are attractive to hackers interested in identity theft and financial crimes, such as fraudulent money transfers.

It should come as no surprise, then, that as the seventh highest target for cyber criminals, law firms are under increased pressure from clients to keep their data safe. Achieving ISO/IEC 27001:2013 (ISO 27001) certification can help protect your law firm in three big ways:

Secure client data:

Your clients entrust you with their sensitive information. When your firm is ISO 27001 certified, it means you are complying with worldwide specifications for managing the availability, integrity, and confidentiality of your information assets. But being certified doesn’t just mean your technology processes are working as they should. The ISO 27001 standard focuses on a management system, so information security is approached holistically, meaning the entire information security lifecycle is addressed including risks, processes, and people. The lifecycle approach is critical in today’s dynamic technology driven environments. Without it, security practices and procedures will quickly become outdated as a business and external threats change.

Competitive advantage:

Unlike the healthcare and financial industries, there is no set of regulations or standards for the legal industry governing how law firms store and collect data. As a result, pursuing ISO 27001 certification is a relatively new endeavor for law firms. Having an ISO 27001 certification not only shows your clients you want to protect their valuable information, it can set you apart from your competition.

Read about how litigation powerhouse Shook, Hardy & Bacon established a culture of information  security with ISO 27001 Certification.

“Given that law firms have a lot of data, it's a natural trend that they would be focused on trying to make sure they have some sort of third-party assessment to ensure their customers that they take this very seriously,” explained Ryan Mackie, Schellman & Company’s ISO Certification Practice Director. “It is becoming more popular among law firms. There have been a handful of firms that have obtained ISO 27001 certification, and because of that, they've almost created that market,” Mackie said.

Better business resilience:

Becoming ISO 27001 certified protects your firm’s clients and intellectual data, and it can help prevent or minimize the damage sustained in a security breach. It is much more likely your firm can detect and stop a security breach in its early stages with the framework an ISO 27001 information management security (ISMS) puts in place, which can help you mitigate the impact of the breach.

The benefits of ISO 27001 certification are not industry specific reserved for financial, healthcare or government entities. The fact is, your law firm handles sensitive data, and whether you realize it or not, it is at risk for potential cyber-attacks. Protect your business and your clients by considering ISO 27001.

About the Author

Scott Zelko

Scott Zelko is a Principal at Schellman & Company, Inc. Scott leads the Northeast Practice and the ISO Certification service line. Scott has more than 25 years of experience in the information technology field including IT management, system implementations, attestation and other advisory services related to information security, general computer controls, systems and application development. In addition, Scott works with clients to develop unified compliance strategies to meet internal, regulatory and client requirements.

More Content by Scott Zelko
Previous Article
Scoping Out: An ISO 27001 Certification
Scoping Out: An ISO 27001 Certification

Organizations, regardless of type, size, or nature, possess information assets that need to be p...

Next Article
A Kinship: SOC 2 and ISO 27001
A Kinship: SOC 2 and ISO 27001

Have you ever wondered if the ISO 27001 certification is at all similar to a SOC 2 report?  Many organizati...

Want more information on
ISO 27001?

Check out our complete guide

View ISO Guide