Peer to Peer, the official publication of the International Legal Technology Association (ILTA), published a special editorial feature in its Winter 2015 issue regarding important developments in the world of data security. Among the subjects tackled was the new ISO 27001:2013 certification for information security.
International Organization for Standardization (English acronym is ISO) develops standards for a number of global certifications. The ISO 27001 certification for information security management systems specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented data security management system within an organization. For data centers, ISO 27001:2005 was the gold standard to meet for many years, but that has now been retired and replaced by ISO 27001:2013.
In “What’s Different About the 2013 ISO Certification?”, our own Jeff Norris shares his thoughts on five keys to understanding how this new certification is a game-changer for providers of legal services. Some of his comments:
1. First major standards revision
“The 2013 revision is the first major revision of the standard since its inception,” says Mr. Norris, senior director of information security for LexisNexis Managed Technology Services. The updates are required to keep up with changes and introduction of new technologies.
2. Integration of management systems
The “updates to management system requirements allow organizations to have an integrated management system, rather than distinct separate ones if achieving multiple certifications,” writes Norris. For example, LexisNexis takes advantage of this now to have just one management system for both 27001 and 9001 certifications.
3. Alignment of risk assessments
“Risk assessment components were updated to help align them with the other standards,” says Mr. Norris. This is helpful as it allows organizations and their managed technology service providers to use the same risk assessment methodology between them.
4. Selection of controls
According to Mr. Norris: “The actual controls — such as access controls, monitoring, etc. — are to be selected using a process of risk assessment, rather than just picked from their reference controls.”
5. Clarification of control requirements
The new certification provides clarification of several different controls and elimination of duplicate requirements. “Control requirements have been updated and reduced to 114 from 133,” writes Mr. Norris. “The number of major clauses (or areas of focus) has expanded from 11 to 14.”
Mr. Norris advises that the importance for firms in selecting vendors that achieve (any) certification is the demonstration of the commitment of leadership and assurance of the business and business processes itself.
This also assists in validating with their clients that their vendors are investing in sound business and security practices, and helps answer security audits and inquiries easier. Global industry standards such as ISO 27001:2013 provide important third-party validations that litigation data is being hosted in secure, highly available, certified data centers.
* * *
If you enjoyed this post, you might also like:
6 Key Ingredients to a Law Firm Data Security Plan