The quarterly publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/80353
lessons learned ISO 27001 … Certification Achieved by Ben Weinberger and Paul McKay of Bond Pearce Over the course of the past six years, law firms have seen an increase in the number of information security- related questions asked during the tender or request for proposal (RFP) process. Whereas some tenders now ask about ISO 27001 certification (a prestigious standard recognized worldwide) specifically, others can be quite vague in asking questions that would be covered by certification. In addition to increased client demands for information security, the Law Society of England and Wales has also imposed information security guidelines as part of the code of conduct that law firms must follow. Although the Law Society does not require ISO 27001 certification, aspects of what they do require are included within the certification's framework. Clients are becoming savvier with regard to their expectations of law firms. Given the evolving and competitive nature of the legal market, it's important to ensure that a firm is able to meet client demands when competing for business. In 2006, Bond Pearce decided to seek ISO 27001 certification, making the conscious decision that the incremental effort required to achieve full certification was worthwhile given the objective value it would represent to clients. Business Case In preparing to seek certification, it was necessary to present a business case for management approval. The business case process was a challenge to get right because we had to have buy-in from top management. We created an "FAQ" that provided responses to questions we could readily anticipate. The business case outlined what ISO 27001 is, how it would be achieved and who would benefit from it. The FAQ addressed such questions as: • Will the standard and underlying policies tie up staff in red tape and act as a business disabler? • Why should we seek full certification across the entire business? The business case also noted the common and clear overlaps with ISO 9001 certification (for quality management), which Bond Pearce already held. The process of gaining approval took quite some time, but it was worth the effort to have management's support. 120 Peer to Peer