Home » Corporate Counsel » 5 Things Legal Tech Should Know About ISO 2013 Certification

5 Things Legal Tech Should Know About ISO 2013 Certification

5 Things Legal Tech Should Know About ISO 2013 Certification

Peer to Peer, the official publication of the International Legal Technology Association (ILTA), published a special editorial feature in its Winter 2015 issue regarding important developments in the world of data security. Among the subjects tackled was the new ISO 27001:2013 certification for information security.

International Organization for Standardization (English acronym is ISO) develops standards for a number of global certifications. The ISO 27001 certification for information security management systems specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented data security management system within an organization. For data centers, ISO 27001:2005 was the gold standard to meet for many years, but that has now been retired and replaced by ISO 27001:2013.

In “What’s Different About the 2013 ISO Certification?”, our own Jeff Norris shares his thoughts on five keys to understanding how this new certification is a game-changer for providers of legal services. Some of his comments:

1. First major standards revision

“The 2013 revision is the first major revision of the standard since its inception,” says Mr. Norris, senior director of information security for LexisNexis Managed Technology Services. The updates are required to keep up with changes and introduction of new technologies.

2. Integration of management systems

The “updates to management system requirements allow organizations to have an integrated management system, rather than distinct separate ones if achieving multiple certifications,” writes Norris. For example, LexisNexis takes advantage of this now to have just one management system for both 27001 and 9001 certifications.

3. Alignment of risk assessments

“Risk assessment components were updated to help align them with the other standards,” says Mr. Norris. This is helpful as it allows organizations and their managed technology service providers to use the same risk assessment methodology between them.

4. Selection of controls

According to Mr. Norris: “The actual controls — such as access controls, monitoring, etc. — are to be selected using a process of risk assessment, rather than just picked from their reference controls.”

5. Clarification of control requirements

The new certification provides clarification of several different controls and elimination of duplicate requirements. “Control requirements have been updated and reduced to 114 from 133,” writes Mr. Norris. “The number of major clauses (or areas of focus) has expanded from 11 to 14.”

Mr. Norris advises that the importance for firms in selecting vendors that achieve (any) certification is the demonstration of the commitment of leadership and assurance of the business and business processes itself.

This also assists in validating with their clients that their vendors are investing in sound business and security practices, and helps answer security audits and inquiries easier. Global industry standards such as ISO 27001:2013 provide important third-party validations that litigation data is being hosted in secure, highly available, certified data centers.

* * *

Note: This post is by Daryn Teague, who provides support to the litigation software product line based in the LexisNexis Raleigh Technology Center.

If you enjoyed this post, you might also like:
6 Key Ingredients to a Law Firm Data Security Plan

Photo credit: Flickr, Uqbar is back, node (CC BY-SA 2.0)

Facebook Twitter Pinterest Plusone Linkedin Digg Delicious Reddit Stumbleupon Tumblr Posterous Email Snailmail

About Contributing Writer

Contributing Writer
This bio page is used to publish submissions by contributing writers. We welcome contributions from the legal community and are especially keen for contributions from our customers. Please review previous submissions published here and the “About Us” section to get a sense for what topics work for this blog. All posts must be original content not published elsewhere for at least 30 days. To submit an idea for consideration, please email blsssocial@lexisnexis.com.