ISO 27001 and law firms. As the BBC could report, a partner at Mossack Fonseca, the Panamanian law firm at the centre of a huge leak of confidential financial data, says it was the victim of a hack. Ramon Fonseca said the leak was not an “inside job” – the company had been hacked by servers based abroad.
It is surprising, that not more law firms are choosing to adopt the international standard for information security given the fact that these typically would keep a lot of confidential information.
Perhaps it is time for law firms to ask themselves, if systems and confidential information (whether electronic or paper) are safe and secure?
According to the ISO survey there were 1923 ISO 27001 certificates in the UK in 2013. That number grew 17.6% to 2261 in 2014, however that growth was mainly made up of the Information Technology industry sector. Of course a number of these IT companies will be providing secure services to law firms, but I would expect the number of law firms looking to ISO 27001 to be a much larger piece of the pie, given the kind of information they hold.
So why does ISO 27001 and law firms not appear to be a match made in heaven?
I think this latest breach will get more law firms to think about information security and perhaps consider implementing ISO 27001. However as a minimum I would recommend, that taking a look at the latest guidance from the ICO would really benefit any kind of company.
10 practical ways to keep your IT systems safe and secure:
- Assess the threats and risks to your business
- Get in line with Cyber Essentials (firewalls, secure configuration, access control, malware protection, patch management and software updates)
- Secure your data on the move and in the office
- Secure your data in the cloud
- Back up your data
- Train your staff
- Keep an eye out for problems
- Know what you should be doing
- Minimise your data
- Make sure your IT contractor is doing what they should be
Of course for many organisations whether to do something in this area or not has been driven to a large extent by customer requirements, i.e. the customer / market requires us to have ISO 27001 certification. However with the General Data Protection Regulation (GDPR / preparing-for-the-gdpr-12-steps) now having been agreed will put additional pressure on any kind of organisation to start thinking about, what information they hold, how subject access requests should be handled, data breaches (making sure you have the right procedures in place to detect, report and investigate a personal data breach) and whether you need to have a Data Protection Officer.
For more useful information see also:
Get Safe Online (www.getsafeonline.org)
A joint initiative between the government, law enforcement, leading businesses and the public sector to provide computer users and small businesses with free, independent, user-friendly advice that will allow them to use the internet
Cyber Street (www.cyberstreetwise.com)
Cyber Street is a cross-government campaign, funded by the National Cyber Security Programme, and delivered in partnership with the private and voluntary sectors. The campaign is led by the Home Office, working closely with the Department for Business, Innovation and Skills and the Cabinet Office.
Cyber Essentials (www.gov.uk/government/ publications/cyber-essentials-scheme-overview)
The Cyber Essentials scheme provides businesses small and large with clarity on good basic cyber security practice. By focusing on basic cyber hygiene, your company will be better protected from the most common cyber threats. Cyber Essentials is mandatory for central government contracts advertised after
1 October 2014 that involve handling personal information and providing certain ICT products and services. It has been developed as part of the UK’s National Cyber Security Programme in close consultation with industry.
10 Steps to Cyber Security (https://www.gov.uk/ government/publications/cyber-risk-management-a- board-level-responsibility)
The 10 Steps define and communicate an Information Risk Management Regime which can provide protection against cyber attacks.
Action Fraud (www.actionfraud.police.uk)
Action Fraud is the UK’s national reporting centre for victims of fraud or financially motivated internet crime. Action Fraud records and refers these crimes to the police and provides victims with a crime reference number, support and advice.
In JSC Consultant our approach is that:
- We have specialized in the design and implementation of ISO 27001 and other management systems. Our vast experience in this field means that we can take you through to certification fast and help you stay certified – guaranteed.
- Our Senior Consultants are highly trained and approved to do assessment work for the British Standards Institution (BSI), which is one of the leading certification body. Hence we have seen numerous management systems and knows what it takes to get ISO 27001 certified.
- We are BSI Associated Consultant Platinum members which not only means we are trusted by BSI to deliver excellent consulting services, it also means we are able to offer our clients better lead times and discounts on training with BSI.
- Our consultants all have a business background and will ensure you get a management system that will support your business, not a system that supports a standard.
- We are client led and will always design a programme that fits around the client needs based on a thorough GAP analysis.
So if you are considering ISO 27001, call us now to discuss, how we can help you design and implement a great ISO 27001 compliant Information Security Management System and avoid all the pitfalls.