Stats: Over 725 lawyers in Canada’s top five markets
“To run a successful security program, the organization must understand what is required of them on a monthly, quarterly and annual basis”
Keeping client data safe is a concern for all businesses. When it comes to the legal profession, that concern is especially well founded. Law firms handle a massive amount of sensitive data and intellectual property, meaning clients look for every assurance that controls are in place and information is protected. ISO/IEC 27001:2013 certification is the information security management system (ISMS) gold seal of approval, demonstrating the holder of this designation has gone through a formal, rigorous and ongoing audit process. One leading, national law firm recently embarked on the audit process, leveraging CDW’s expertise along the way.
ISO 27001 is a collection of activities concerning the management of information risks and entails building an information security program the organization follows to identify, analyze and address information security risks. ISO 27001 requires that management systematically examine information security risks, design and implement security controls and adopt a management process to ensure security controls are continuously met.1
Threat risk assessment determines key security risks
The firm engaged CDW to implement an ISMS, which would pave the way to certification. An initial threat risk assessment conducted prior to the certification process provided a baseline and highlighted gaps in the firm’s security posture. During the risk assessment process, key information assets were identified and given a sensitivity rating based on the confidentiality, integrity and availability requirements of the data. Next, risk scenarios were documented, and the impact and likelihood of each scenario was rated, providing an overall determination of the information security risks for the firm. Detailed reporting with recommendations for remediation were provided.
• Implement an ISMS and become one of the first law firms in Canada to achieve ISO/IEC 27001:2013 certification
• Implemented security management policies and procedures entailing an internal audit program, setting up a management committee and developing a process for ongoing continuous corrective action
• Successfully achieved ISO 27001 certification, passing both stages of the ISO audit process
“We had absolutely no compliance issues – that is virtually unheard of”
Preparing for the ISO 27001 certification was a five-month process
With the threat risk assessment completed, the firm was ready to begin the demanding process of preparing for the certification audit. In phase one of the certification preparation, the team reviewed and customized the firm’s security policies, tailoring them to the legal environment. After the documentation review, a governance structure was implemented, employing a committee to oversee all information security tasks and annual program deliverables. Throughout a five-month timeframe, CDW security and risk assessment experts worked with the firm to document meetings and develop metrics, eventually training the firm to take full ownership of the process. An internal audit was conducted to ensure the team was ready for the external certification audit.
How to get buy-in through knowledge transfer and training
Implementing an ISMS and achieving certification is not without its challenges. It requires significant executive buy-in and culture shift across the firm. During the implementation of the program, CDW met with the managing directors to provide an overview of ISO, illustrating how the program would impact lawyers, administrative staff, and operations. “We helped them understand what risk management is and the core processes that must be performed,” said Anthony Khan, Senior Consultant, Cyber Risk at CDW. Understanding concepts and practices is crucial – “to run a successful security program, the organization must understand what is required of them on a monthly, quarterly and annual basis.”
Outcome: CDW was able to implement the security management structure and the law firm passed audits to confirm the ISMS had been properly designed and implemented and is operational. “We had absolutely no compliance issues,” said Benjamin Li, Senior Consultant, Information Assurance at CDW. “That is virtually unheard of.”
How We Helped
• Threat risk assessment and gap analysis
• Information security management system (ISMS)
• Documentation review of policies and procedures
• Internal audit of the ISMS
• Audit Management