ISO 27001 for Law firms – 3 Ways to Protect Confidential Information

ISO 27001 certification is best defined as a lifestyle that empowers a business to improve its overall information security system. The executive branch of the organization must be adopting this lifestyle and lead by example for it to truly effective.

Officially, ISO 27001 certification is an international standard in information security and asks that organizations provision and adopt an information security management system (ISMS).

ISO 27001:2013 certification is about protecting information through a set of requirements that, among other methods, preserve information from unauthorized access or use. Every organization handles a variety of information with different associated risks depending on the people or the functional department to which it refers. Law firms are an example of organizations dealing with highly confidential information about employees, suppliers, contractors, and customers.

Confidential information could be personal data, R&D files, intellectual property rights, or financial deals. Some information may be disclosed to the public, while some needs to be kept confidential; some could be accessible to every member in the organization, while some needs to be restricted and within reach only for privileged users. Whatever it is, information needs to be protected. Learn how ISO 27001 certification helps in this article.

How can ISO 27001 help law firms with regards to confidential information?

So, let’s see how ISO 27001:2013 implementation can be helpful in protecting confidential information in any type of company, and in the next section, you’ll find some useful tips on protecting the information in law firms.

  • Relationship between risk assessment and confidentiality:ISO 27001 requires organizations to assess the security risks associated with the information. The greater the impact on the organization and its clients, the higher the level of confidentiality of the related information. As a consequence, security controls protecting confidential information could be recommended in order for risk to be addressed, mitigated, or avoided.
  • Security culture vs. IT security: ISO 27001 standard requires people working under the control of the organization to be made aware of the importance of information security and the role they play in the protection of confidential information. You can have the most groundbreaking technology to protect your asset from internal and external threats, but if your people do not know why this is needed, then the technology is not going to stop data breaches
  • Enhance client loyalty for highly confidential data: Being certified against ISO 27001 could have an impact on organizations’ brand and reputation, especially for those handling a large and complex volume of sensitive data (personal data, business information), as law firms do. If you handle clients’ sensitive information, ISO 27001 could be a unique selling point, and therefore used as a marketing edge.

ISO 27001 is a standard that is not compulsory, but definitely advisable for law firms when talking about information protection.

ISO 27001

A.8.2.1 – Classification of information

Information inside an organization should be classified considering its value and level of sensitivity. Most commonly, this is according to the confidentiality.

ISO 27001 controls A.8.2.1 require an organization to ensure that information has an appropriate level of protection considering its importance. In law firms, the primary source of information includes data about clients, judges, cases, trials, and legislative changes, but there are different levels of importance and confidentiality regarding every one of them.

Client trade secrets, details on mergers and acquisitions, and attorney-client privileged information are true examples of highly confidential information that require strong security measures. In contrast, a law firm’s communication that is directed to all employees, even if classified as internal and therefore not approved for release in the public domain could have a negative effect on just a small group of users.

Moreover, there could be information unanimously considered confidential, such as organizational changes (especially those affecting the HR department), which are not included in the organizational scheme of classification and are thereby disclosed.

Consequently, law firms are recommended to provide employees with a system categorizing all information on the basis of the level of confidentiality and the impact to the organization in case of alteration, destruction, or unauthorized disclosure of data. Different procedures about data protection should be applied to each classification level in order to safeguard proper security.

A suggested scheme of classification for law firms could include the following categories: “Public,” “Internal use,” “Restricted,” and “Confidential.”

A.8.2.2 – Labeling of information

Once information is classified, a labeling pattern should be implemented according to the classification scheme adopted.

People working inside a law firm should recognize the kind of information they handle in a clear and timely manner in order for sensitive information to be shared or kept safer.

A pattern of labeling reflecting the scheme of classification (public, internal, restricted, or confidential) could be adopted. Examples of labels could be:

  • In the case of paper, information could be written (e.g.: “Internal”) on the covers of folders containing documents.
  • In the case of digital files, such as databases and business applications, electronic labels could be added to the login screen clearly identifying the level of confidentiality of the data that is processed.
  • In the case of electronic mail, classification could be indicated in the subject of the e-mail and a disclaimer could be inserted in the body of the e-mail.

A.8.2.3 – Handling of assets

A set of procedures for handling data should be implemented according to the level of confidentiality of information as identified by the classification scheme.

Organization handling highly sensitive information, such as a law firm, should adopt a set of rules to manage, archive, and use assets on the basis of the level of confidentiality. In accordance with the classification scheme suggested in the A.8.2.1 control paragraph, examples could include:

  • publication on an Intranet site for information classified as “internal”
  • encryption for information classified as “confidential internal” that needs to be transferred
  • restricted access for information classified as “highly confidential”

ISO 27001 as a reliable way of protecting data

Now that we’ve seen how ISO 27001 certification positively impacts the protection of confidential information in law firms, think once more about the level of confidentiality of your business, and take all the steps needed to protect your sensitive information. Implementation and eventual certification against ISO 27001:2013 is a reliable and trustworthy way to achieve your goal, so this is definitely something to think about and discuss with your executives.

We are ISO 27001 Certification Body in Malaysia we can provide information about ISO 27001 and how achieve certification to it, feel free to contact us or visit our ISO 27001 frequently asked questions page! To get started with the certification process, you can also request a quote We also provide ISO 27001:2013 Lead Auditors Training in Malaysia to know about the ISO 27001 certification Procedure