Posted on August 16, 2019 by Joseph Lamport
Editor’s Note: We recently had a chance to sit down with Greg Spicer, the CRO at Braintrace, to talk about the growing importance of information security management and the option for registration under ISO 27001 for law firms today. Braintrace is one of the top cybersecurity consulting firms in the country serving the legal, financial and government markets.
* * * * *
PinHawk: Why is information security important for law firms?
Greg Spicer: Establishing a strong protocol for insuring information security lies at the heart of the law firm enterprise and it goes to the fundamental assurance a law firm must be able to provide to its clients regarding the protection of their highly confidential and sensitive documents. An information security management system (ISMS) lies at the core of a law firm’s operation.
PinHawk: What are ISO 27001 and 27002 and how do they help establish information security?
Greg Spicer: ISO 27001 is the standard that has been promulgated by the International Organization for Standardization for information security. It sets forth the specifications of what is required in an ISMS in order for an organization to achieve ISO 27001 registration. As such, it has become the de facto security standard in the corporate marketplace, widely recognized throughout the United States, as well as by more than 60 other national accreditation bodies. In addition, ISO 27002 describes the code of conduct for organizations, including the management guidelines and best practices, which should be adopted in order to adhere to the ISO 27001 standard.
PinHawk: What type and size of law firm should consider implementing the ISO 27001 standard?
Greg Spicer: For any law firm with 150 or more lawyers, registration under ISO 27001 is very strongly recommended. That’s because ISO 27001 compliance is well on its way to becoming an effective requirement for counterparties doing business with government agencies and large corporations. If you represent corporations and financial institutions of any size, now is the time to get your own ISMS in order.
PinHawk: How can Braintrace help?
Greg Spicer: Whenever your firm is ready, Braintrace is a great partner that can guide you through the process of ISO 27001 adoption, from initial assessment to final registration. We are information security experts and we are also keenly aware of the unique operational requirements and cultural considerations that come into play in a law firm environment. We understand all the technical requirements and we can help you avoid the pitfalls that law firms frequently encounter when it comes to an ISMS implementation.
Braintrace doesn’t handle the actual ISO 27001 registration but we can do everything else to help your firm get ready. Each engagement starts with our experts conducting an ISO 27001 gap analysis based on a top to bottom review of your firm’s existing security procedures, processes and controls. This analysis includes interviews with key managers and stakeholders throughout your firm. Based on that gap analysis, we then prepare a detailed plan, setting forth the scope of your firm’s new recommended ISMS, along with an action plan that specifies all the steps necessary in order to achieve ISO registration.
PinHawk: How long will ISO 27001 registration take?
Greg Spicer: That all depends on the size of your law firm and the extent of the ISMS you decide to put in place. From initial needs assessment to getting your firm registration-ready can take anywhere from 3 months to a year.
PinHawk: What’s the next step if a law firm wants to pursue ISO 27001 registration?
Greg Spicer: Call us today or send me an email at gspicer@braintrace.com and we can get you started on the road to registration.