Monday, September 19, 2011

ISO 27001 For Law Firms -- Report from Risk Roundtable Seminar Featuring IntApp, Cravath & Forrester Research

We saw tremendous interest in our Roundtable session on ISO 27001, the information security standard. It's clear that this is a growing trend for law firms. (We expect that you'll start hearing more about this issue from other sources in the months to come.)

Brian Lynch, who chairs the Risk Roundtable Compliance Consortium, attended the event last Friday and sends this session summary:
  • Dan – I'm pleased to report back on last Friday’s engaging and educational Risk Roundtable seminar on ISO 27001 for law firms. We were graciously hosted in the New York offices of Cravath, Swaine & Moore and featured speakers who described their real world experiences with ISO implementations - not just theoretical speculation.
  • Andrew Rose from Forrester spoke about well-considered approaches to ISO certification, including benefits firms may not have expected and pitfalls to watch out for. He's well versed in the ISO terrain after leading certification efforts for Clifford Chance and Allen & Overy in the UK.
  • Jeff Franchetti, CIO of Cravath, also walked us through his efforts to become ISO-compliant, and, more importantly, building an intelligent structure for managing information risk and security.
  • Over three hours, CIOs and IT leaders in the room had a chance to hear about real-life implementations - selling the concept internally, securing management buy-in, executing successful projects and reaping the benefits.
Some highlights:
  • Partnering with management – ISO 27001 is a combination of well-understood policies and procedures supported by technology that can enforce them. ISO programs tend to be most successful when management and IT work together throughout the process.
  • 27001 certification v. 27002 compliance – Some firms are pursuing 27002 compliance first. 27002 is an "advisory standard," where certification is not the objective. However, a firm can organize its security processes and protocols. Once firms feel comfortable with 27002, some opt to pursue 27001 certification, which includes requirements and focuses more on repeatable processes.
  • Look to clients for the standard, not peer law firms – firms are seeing a number of trends pointing to ISO - ISO-influenced language appearing in RFPs, clients enlisting 3rd-parties to conduct law firm audits, and clients requiring ISO 27001 certification.
[Given the response to this issue, we’re looking at future sessions in other client locations. Stay tuned.]

No comments:

Post a Comment