Put your question to the experts

Engage with your peers in legal business services with our clever crowdsourcing engine.

Ask a question »

Is anyone looking at IT security accreditation? Some thing other than the full monty ISOs which cover much more?

I am not looking for any sales advice at this stage to please no sales people.
Asked by: Patrick Lynch
Tags: IT security accreditation
Answer this?
Hi Patrick, Have you looked at the Cyber Essentials Scheme, a government developed scheme? https://www.gov.uk/government/publications/cyber-essentials-scheme-overview The scope is small and you can self assess and move on to verification if you want to. It is aimed at the SMEs but would be a good place to start. The disadvantage to this is it only covers basic protection from internet threats. With ISO 27001 you can define your scope so you can start off on one specific part of the business and therefore make certain controls non applicable. I have heard there were a couple of law firms that just applied it to their document management system, for example. Also as it's an internationally recognized standard it can be applicable to any international offices. It depends on why you want to gain an accreditation? Is it due to client demand? Are you getting loads of questionnaires and therefore want to fill them out quicker? I have heard some clients are requesting on site audits of their law firms to physically see policy and procedure. Whilst the Cyber Security Credentials looks to be a good framework and internet is important to a law firm, you may want to think about what is it you want to give assurance you are protecting, which I guess goes back to the "why" A client would be looking for a lot more than just internet security. Their data is just as important. Hope there is some food for thought? Kind Regards Gill

Add your comment