Francesca Lucarini ISO 27001 is about protecting information through a set of requirements that, among other methods, preserve information from unauthorized access or use. Every organization handles a variety of information with different associated risks depending on the people or the functional department to which it refers. Law firms are an example of organizations dealing with highly confidential information about employees, suppliers, contractors, and customers.
Confidential information could be personal data, R&D files, intellectual property rights, or financial deals. Some information may be disclosed to the public, while some needs to be kept confidential; some could be accessible to every member in the organization, while some needs to be restricted and within reach only for privileged users. Whatever it is, information needs to be protected. Learn how ISO 27001 certification helps in this article.
How can ISO 27001 help law firms with regards to confidential information?
So, let’s see how ISO 27001 implementation can be helpful in protecting confidential information in any type of company, and in the next section, you’ll find some useful tips on protecting the information in law firms.
- Relationship between risk assessment and confidentiality. ISO 27001 requires organizations to assess the security risks associated with the information. The greater the impact on the organization and its clients, the higher the level of confidentiality of the related information. As a consequence, security controls protecting confidential information could be recommended in order for risk to be addressed, mitigated, or avoided. For more about risk assessment, read the article How to assess consequences and likelihood in ISO 27001 risk analysis.
- Security culture vs. IT security. ISO 27001 requires people working under the control of the organization to be made aware of the importance of information security and the role they play in the protection of confidential information. You can have the most groundbreaking technology to protect your asset from internal and external threats, but if your people do not know why this is needed, then the technology is not going to stop data breaches. See also: How to perform training & awareness for ISO 27001 and ISO 22301.
- Enhance client loyalty for highly confidential data. Being certified against ISO 27001 could have an impact on organizations’ brand and reputation, especially for those handling a large and complex volume of sensitive data (personal data, business information), as law firms do. If you handle clients’ sensitive information, ISO 27001 could be a unique selling point, and therefore used as a marketing edge. Learn more about the benefits of the standard in the article Four key benefits of ISO 27001 implementation.
ISO 27001 is a standard that is not compulsory, but definitely advisable for law firms when talking about information protection.
Implementation of security controls in law firms
Law firms handle a real treasure trove of personal and sensitive data and represent a potential target for hackers, and therefore can serve as an example of the most likely to be compromised by an attack. The implications of a legal breach could be worse for organizations operating in the legal sector than for those in other sectors, primarily because of the reputational damage being caused.
Law firms must keep their client data as safe as possible in order to preserve their clients’ trust. ISO 27001 helps them by providing security controls. We have singled out some key controls that are considered highly recommended in law firms.
A.8.2.1 – Classification of information
Information inside an organization should be classified considering its value and level of sensitivity. Most commonly, this is according to the confidentiality.
ISO 27001 control A.8.2.1 requires an organization to ensure that information has an appropriate level of protection considering its importance. In law firms, the primary source of information includes data about clients, judges, cases, trials, and legislative changes, but there are different levels of importance and confidentiality regarding every one of them.
Client trade secrets, details on mergers and acquisitions, and attorney-client privileged information are true examples of highly confidential information that require strong security measures. In contrast, a law firm’s communication that is directed to all employees, even if classified as internal and therefore not approved for release in the public domain, could have a negative effect on just a small group of users.
Moreover, there could be information unanimously considered confidential, such as organizational changes (especially those affecting the HR department), which are not included in the organizational scheme of classification and are thereby disclosed.
Consequently, law firms are recommended to provide employees with a system categorizing all information on the basis of the level of confidentiality and the impact to the organization in case of alteration, destruction, or unauthorized disclosure of data. Different procedures about data protection should be applied to each classification level in order to safeguard proper security.
A suggested scheme of classification for law firms could include the following categories: “Public,” “Internal use,” “Restricted,” and “Confidential.”
A.8.2.2 – Labeling of information
Once information is classified, a labeling pattern should be implemented according to the classification scheme adopted.
People working inside a law firm should recognize the kind of information they handle in a clear and timely manner in order for sensitive information to be shared or kept safer.
A pattern of labeling reflecting the scheme of classification (public, internal, restricted, or confidential) could be adopted. Examples of labels could be:
- In the case of paper, information could be written (e.g.: “Internal”) on the covers of folders containing documents.
- In the case of digital files, such as databases and business applications, electronic labels could be added to the login screen clearly identifying the level of confidentiality of the data that is processed.
- In the case of electronic mail, classification could be indicated in the subject of the e-mail and a disclaimer could be inserted in the body of the e-mail.
A.8.2.3 – Handling of assets
A set of procedures for handling data should be implemented according to the level of confidentiality of information as identified by the classification scheme.
An organization handling highly sensitive information, such as a law firm, should adopt a set of rules to manage, archive, and use assets on the basis of the level of confidentiality. In accordance with the classification scheme suggested in the A.8.2.1 control paragraph, examples could include:
- publication on an Intranet site for information classified as “internal”
- encryption for information classified as “confidential internal” that needs to be transferred
- restricted access for information classified as “highly confidential”
ISO 27001 as a reliable way of protecting data
Now that we’ve seen how ISO 27001 positively impacts the protection of confidential information in law firms, think once more about the level of confidentiality of your business, and take all the steps needed to protect your sensitive information. Implementation and eventual certification against ISO 27001 is a reliable and trustworthy way to achieve your goal, so this is definitely something to think about and discuss with your executives.
For more help about handling risks when protecting confidential information in a law firm, download this free white paper: Step-by-step explanation of ISO 27001 risk management.
