The quarterly publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/80353
lessons learned firm was seeking certification across the entire organization. The training presentations were conducted in the summer of 2008 as one-hour sessions and were offered three times per day in all offices, with a morning and afternoon session for nonlawyers and a lunch-time session for lawyers. To increase the incentive for lawyers to attend, they received a free lunch and were able to claim continuing professional development (CPD) points for each session. Stage two of the assessment began in October of 2008. This was it — time to see just how much work the firm had done. This stage consisted of seven full days of audits by BSi that were broken up into two days in the firm's Plymouth office, two days in the Southampton office, two days in the Bristol office and a half-day each in the London and Aberdeen offices. The number of days required to perform the audits was directly proportional to the firm's size and overall infrastructure. Based on what was defined in the statement of applicability We have reduced the amount of time spent conducting the annual review and risk assessments from six to three weeks. The presentations were primarily delivered by a newly promoted partner in the firm. This had two benefits: • It was not someone from the IT department telling lawyers and staff how to work. Instead, it was a partner saying that the firm was moving in a direction that would be beneficial for clients and which was already being requested by clients. • The partner leading the presentations was newly promoted, so it gave him the opportunity to meet personnel while raising his profile within the organization. Process Assessment Meanwhile, we still had to decide which certifying body we would use. We had a few options, and Bond Pearce selected BSi — the U.K.'s National Standards Body (NSB). This decision was made early in the process and in March of 2008, BSi performed a pre-assessment. This was a paper-based exercise that confirmed the firm had the necessary working processes to be assessed. It also included a discussion of the processes that would be followed during the audit. (SOA), the assessments focused on all of the applicable controls as set forth in the firm's ISMS. The assessor reviewed documentation, assessed physical security and interviewed staff members to gauge their understanding and awareness of controls and procedures. An assessor typically finds faults that can be categorized into four areas: • Areas for improvement • Observations • Minor nonconformities • Major nonconformities During Bond Pearce's assessment, the assessor identified a few minor nonconformities and a few observations. Corrective Action Plans The required responses to the external certifying body regarding findings from continuing assessment visits for nonconformities are different. During the initial and triennial assessments, major nonconformities can be addressed by submitting a corrective action plan as opposed to terminating the process; minor nonconformities can be addressed by internal corrective action plans. By the end of October 2008, the firm had reached the final day of the assessments and the culmination of 16 months of hard work. The lead assessor reviewed the reports from all of the firm's sites (some of which he had conducted). With a smile on his face, he congratulated the team on achieving the standards required for certification (it's safe to assume the assessor's smile was not as big as Mack's). Continuing Assessment Visits Of course, this was just the beginning, as the really hard work of keeping the certification followed. BSi set a schedule of continuing assessment visits for the next three years, the period for which the certificate was valid. This schedule included one day each year in Plymouth, one day each year in Southampton, two days each year in Bristol and one day during the life cycle of the certificate in London and Aberdeen. Further, in the third year of the certificate's validity, to coincide with the anniversary of its issuance, a full reassessment was scheduled pursuant to the requirements for achieving its renewal. Bond Pearce 122 Peer to Peer