{"id":24464,"date":"2019-10-15T11:13:28","date_gmt":"2019-10-15T11:13:28","guid":{"rendered":"https:\/\/multiacademstg.wpengine.com\/27001academy\/?p=24464"},"modified":"2024-12-21T12:29:23","modified_gmt":"2024-12-21T12:29:23","slug":"iso-27001-for-law-firms-3-ways-to-maintain-confidentiality","status":"publish","type":"post","link":"https:\/\/staging.advisera.com\/27001academy\/blog\/2019\/10\/15\/iso-27001-for-law-firms-3-ways-to-maintain-confidentiality\/","title":{"rendered":"3 reasons why ISO 27001 helps to protect confidential information in law firms"},"content":{"rendered":"<p><a href=\"https:\/\/staging.advisera.com\/27001academy\/what-is-iso-27001\/\" target=\"_blank\" rel=\"noopener noreferrer\">ISO 27001<\/a> is about protecting information through a set of requirements that, among other methods, preserve information from unauthorized access or use. Every organization handles a variety of information with different associated risks depending on the people or the functional department to which it refers. Law firms are an example of organizations dealing with highly confidential information about employees, suppliers, contractors, and customers.<\/p>\n<p>Confidential information could be personal data, R&amp;D files, intellectual property rights, or financial deals. Some information may be disclosed to the public, while some needs to be kept confidential; some could be accessible to every member in the organization, while some needs to be restricted and within reach only for privileged users. Whatever it is, information needs to be protected. Learn how ISO 27001 certification helps in this article.<\/p>\n<h2>How can ISO 27001 help law firms with regards to confidential information?<\/h2>\n<p>So, let\u2019s see how ISO 27001 implementation can be helpful in protecting confidential information in any type of company, and in the next section, you\u2019ll find some useful tips on protecting the information in law firms.<\/p>\n<ul>\n<li><strong>Relationship between risk assessment and confidentiality.<\/strong> ISO 27001 requires organizations to assess the security risks associated with the information. The greater the impact on the organization and its clients, the higher the <a href=\"https:\/\/staging.advisera.com\/27001academy\/blog\/2014\/05\/12\/information-classification-according-to-iso-27001\/\" target=\"_blank\" rel=\"noopener\">level of confidentiality<\/a> of the related information. As a consequence, security controls protecting confidential information could be recommended in order for risk to be addressed, mitigated, or avoided. For more about risk assessment, read the article <a href=\"https:\/\/staging.advisera.com\/27001academy\/iso-27001-risk-assessment-treatment-management\/#assessment\" target=\"_blank\" rel=\"noopener\">How to assess consequences and likelihood in ISO 27001 risk analysis<\/a>.<\/li>\n<li><strong>Security culture vs. IT security. <\/strong>ISO 27001 requires people working under the control of the organization to be made aware of the importance of information security and the role they play in the protection of confidential information. You can have the most groundbreaking technology to protect your asset from internal and external threats, but if your people do not know why this is needed, then the technology is not going to stop data breaches. See also: <a href=\"https:\/\/staging.advisera.com\/27001academy\/blog\/2014\/05\/19\/how-to-perform-training-awareness-for-iso-27001-and-iso-22301\/\" target=\"_blank\" rel=\"noopener noreferrer\">How to perform training &amp; awareness for ISO 27001 and ISO 22301<\/a>.<\/li>\n<li><strong>Enhance client loyalty for highly confidential data. <\/strong>Being certified against ISO 27001 could have an impact on organizations\u2019 brand and reputation, especially for those handling a large and complex volume of sensitive data (personal data, business information), as law firms do. If you handle clients\u2019 sensitive information, ISO 27001 could be a unique selling point, and therefore used as a marketing edge. Learn more about the benefits of the standard in the article <a href=\"https:\/\/staging.advisera.com\/27001academy\/knowledgebase\/iso-27001-implementation-checklist\/#benefits\" target=\"_blank\" rel=\"noopener noreferrer\">Four key benefits of ISO 27001 implementation<\/a>.<\/li>\n<\/ul>\n<p>ISO 27001 is a standard that is not compulsory, but definitely advisable for law firms when talking about information protection.<br \/>\n<div id=\"middle-banner\" class=\"banner-shortcode\"><\/div><script>loadMiddleBanner();<\/script><br \/>\n<div id=\"side-banner-trigger\" class=\"banner-shortcode\"><\/div><\/p>\n<h2>Implementation of security controls in law firms<\/h2>\n<p>Law firms handle a real treasure trove of personal and sensitive data and represent a potential target for hackers, and therefore can serve as an example of the most likely to be compromised by an attack. The implications of a legal breach could be worse for organizations operating in the legal sector than for those in other sectors, primarily because of the reputational damage being caused.<\/p>\n<p>Law firms must keep their client data as safe as possible in order to preserve their clients\u2019 trust. ISO 27001 helps them by providing security controls. We have singled out some key controls that are considered highly recommended in law firms.<\/p>\n<h3 style=\"font-size: 18px;\">A.8.2.1 \u2013 Classification of information<\/h3>\n<p>Information inside an organization should be classified considering its value and level of sensitivity. Most commonly, this is according to the confidentiality.<\/p>\n<p>ISO 27001 control A.8.2.1 requires an organization to ensure that information has an appropriate level of protection considering its importance. In law firms, the primary source of information includes data about clients, judges, cases, trials, and legislative changes, but there are different levels of importance and confidentiality regarding every one of them.<\/p>\n<p>Client trade secrets, details on mergers and acquisitions, and attorney-client privileged information are true examples of highly confidential information that require strong security measures. In contrast, a law firm\u2019s communication that is directed to all employees, even if classified as internal and therefore not approved for release in the public domain, could have a negative effect on just a small group of users.<\/p>\n<p>Moreover, there could be information unanimously considered confidential, such as organizational changes (especially those affecting the HR department), which are not included in the organizational scheme of classification and are thereby disclosed.<\/p>\n<p>Consequently, law firms are recommended to provide employees with a system categorizing all information on the basis of the level of confidentiality and the impact to the organization in case of alteration, destruction, or unauthorized disclosure of data. Different procedures about data protection should be applied to each classification level in order to safeguard proper security.<\/p>\n<p>A suggested scheme of classification for law firms could include the following categories: &#8220;Public,&#8221; &#8220;Internal use,&#8221; &#8220;Restricted,&#8221; and &#8220;Confidential.&#8221;<\/p>\n<h3 style=\"font-size: 18px;\">A.8.2.2 \u2013 Labeling of information<\/h3>\n<p>Once information is classified, a labeling pattern should be implemented according to the classification scheme adopted.<\/p>\n<p>People working inside a law firm should recognize the kind of information they handle in a clear and timely manner in order for sensitive information to be shared or kept safer.<\/p>\n<p>A pattern of labeling reflecting the scheme of classification (public, internal, restricted, or confidential) could be adopted. Examples of labels could be:<\/p>\n<ul>\n<li>In the case of paper, information could be written (e.g.: &#8220;Internal&#8221;) on the covers of folders containing documents.<\/li>\n<li>In the case of digital files, such as databases and business applications, electronic labels could be added to the login screen clearly identifying the level of confidentiality of the data that is processed.<\/li>\n<li>In the case of electronic mail, classification could be indicated in the subject of the e-mail and a disclaimer could be inserted in the body of the e-mail.<\/li>\n<\/ul>\n<h3 style=\"font-size: 18px;\">A.8.2.3 \u2013 Handling of assets<\/h3>\n<p>A set of procedures for handling data should be implemented according to the level of confidentiality of information as identified by the classification scheme.<\/p>\n<p>An organization handling highly sensitive information, such as a law firm, should adopt a set of rules to manage, archive, and use assets on the basis of the level of confidentiality. In accordance with the classification scheme suggested in the A.8.2.1 control paragraph, examples could include:<\/p>\n<ul>\n<li>publication on an Intranet site for information classified as &#8220;internal&#8221;<\/li>\n<li>encryption for information classified as &#8220;confidential internal&#8221; that needs to be transferred<\/li>\n<li>restricted access for information classified as &#8220;highly confidential&#8221;<\/li>\n<\/ul>\n<p style=\"padding-top: 15px; padding-bottom: 10px;\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-24465\" src=\"\/wp-content\/uploads\/\/sites\/5\/2019\/10\/controls-law.jpg\" alt=\"ISO 27001 for law firms: 3 ways to maintain confidentiality\" width=\"1000\" height=\"628\" srcset=\"\/wp-content\/uploads\/sites\/5\/2019\/10\/controls-law.jpg 1000w, \/wp-content\/uploads\/sites\/5\/2019\/10\/controls-law-300x188.jpg 300w, \/wp-content\/uploads\/sites\/5\/2019\/10\/controls-law-768x482.jpg 768w\" sizes=\"(max-width: 1000px) 100vw, 1000px\" \/><\/p>\n<h2>ISO 27001 as a reliable way of protecting data<\/h2>\n<p>Now that we\u2019ve seen how ISO 27001 positively impacts the protection of confidential information in law firms, think once more about the level of confidentiality of your business, and take all the steps needed to protect your sensitive information. Implementation and eventual certification against ISO 27001 is a reliable and trustworthy way to achieve your goal, so this is definitely something to think about and discuss with your executives.<\/p>\n<p style=\"padding-bottom: 10px;\"><em><span class=\"notion-enable-hover\" data-token-index=\"0\">To learn how to implement ISO 27001 through a step-by-step wizard and get all the necessary policies and procedures,\u00a0<\/span><a class=\"notion-link-token notion-focusable-token notion-enable-hover\" tabindex=\"0\" href=\"https:\/\/staging.advisera.com\/conformio\/\" target=\"_blank\" rel=\"noopener\" data-token-index=\"1\"><span class=\"link-annotation-unknown-block-id-1092142182\"><strong>sign up for a free trial<\/strong><\/span><\/a><span class=\"notion-enable-hover\" data-token-index=\"2\">\u00a0of Conformio, the leading ISO 27001 compliance software.<\/span><\/em><!-- notionvc: 9edbbd38-f531-4233-8406-d8782eb14c89 --><\/p>\n","protected":false},"excerpt":{"rendered":"<p>ISO 27001 is about protecting information through a set of requirements that, among other methods, preserve information from unauthorized access or use. Every organization handles a variety of information with different associated risks depending on the people or the functional department to which it refers. Law firms are an example of organizations dealing with highly &#8230;<\/p>\n","protected":false},"author":105,"featured_media":24465,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[256,381,1766,1767,1768],"class_list":["post-24464","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","tag-certification","tag-iso-27001","tag-confidentiality","tag-confidential-data","tag-law-firms"],"acf":[],"_links":{"self":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/24464","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/users\/105"}],"replies":[{"embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/comments?post=24464"}],"version-history":[{"count":1,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/24464\/revisions"}],"predecessor-version":[{"id":103209,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/24464\/revisions\/103209"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/media\/24465"}],"wp:attachment":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/media?parent=24464"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/categories?post=24464"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/tags?post=24464"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}