Note: This post was originally written in 2015 but was updated in June 2017 with the most recent available data.
Common questions we receive regarding ISO 27001 certification for law firms include “What do other law firms do?” or “How do we compare to other law firms you worked with?” Everyone likes to benchmark themselves from time to time, but it’s difficult to establish benchmarks when it comes to information security because so much is kept confidential. With ISO 27001, however, there is one simple benchmark that can be established using publicly available data: Scope.
The first step in preparing for ISO 27001 certification is to understand the context of your organization and establish the scope of information security management you would like to certify. If your law firm is pursuing ISO 27001 certification, it would be valuable to compare the intended scope of your certification with the scope of other certified law firms.
The scope of ISO 27001 certificates is publicly available from the various certification bodies that perform ISO 27001 certification audits and issue the certificates. For example, you can search the certificate directory for BSI and Schellman.
A Selection of ISO 27001 Scope Statements from Top Law Firms
2017 UPDATE: This post has been updated with the scope statements from the certificates for a sample of the 2017 Am Law 100.
|Rank||Firm Name||2016 Gross Revenue||Certification Body||Scope|
|5||DLA (verein)||$2.47 billion||BSI||The management of information security for the protection of Firm’s Document Management System, the Mobile Device Management, and Email services hosted out of the Firm’s Data Center. Details.|
|8||Hogan Lovells (verein)||$1.9255 billion||BSI||The ISMS (Information Security Management System) for the protection of client information held in the Information Management systems operated by the London and Washington DC offices. Details.|
|15||Sullivan & Cromwell||$1.36 billion||BSI||The ISMS supports and protects the security of client and firm data and associated confidential information residing in domestic and international offices, conference centers, and business continuity sites. Details.|
|27||King & Spalding||$1.0575 billion||SCHELLMAN||The scope of the ISO/IEC 27001:2013 certification is limited to the ISMS supporting King & Spalding’s partners, attorneys, and staff, information technology systems, policies, procedures, standards, tools, utilities, and data used in the business execution of these services. Details.|
|46||Cravath||$738 million||BSI||A framework of information security management processes, practices and controls that ensure the confidentiality, integrity, and availability of firm-wide IT infrastructure and services that enable the business processes and activities supported by Document Management Service (DMS), Email Services (EMS), Litigation Document Storage Service (LDSS) and Remote Access Services (RAS). Details.|
|62||Katten||$554 million||SCHELLMAN||The scope of the ISO/IEC 27001:2013 certification is limited to the ISMS supporting Katten’s legal practice, client services, administrative services, facilities, human resources and information technology. Details.|
|67||Troutman Sanders||$490 million||SCHELLMAN||The scope of the ISO/IEC 27001:2013 certification is limited to the ISMS supporting Troutman Sanders systems, applications, and services. The ISMS scope includes Troutman Sanders IT personnel, attorneys, staff systems and applications, policies, procedures, standards, tools, utilities and data used in business execution and internal processes within the headquarters office, the primary and alternate data centers. Details.|
|69||Nixon Peabody||$458 million||BSI||The protection of client data, work product and firm financial information stored, processed and transmitted in the provision of the firm’s practices, operations, and administration. Details.|
|94||Steptoe||$356 million||SCHELLMAN||The scope of the ISO/IEC 27001:2013 certification is limited to the ISMS supporting the legal practice areas, human resources, and internal finance. Details.|
|100||Shook Hardy||$334 million||SCHELLMAN||The scope of the ISO/IEC 27001:2013 information security management system covers the Legal Practice, Client Services, Research Analysis, Business Continuity, Continuing Legal Education (CLE), and Library Services and includes the Personnel, Information Technology Systems, Policies, Procedures, Standards, Tools, Utilities, and Data used in the business execution of these services. Details.|
3 Categories of Law Firm ISO 27001 Scope Statements
These scope statements follow the typical pattern we see. The scope of ISO 27001 for law firms typically falls into 1 of 3 categories:
Category 1: Primary systems that touch client data and attorney work product such as document management system, litigation support system (if managed in-house), email system or remote access. Examples: DLA, Hogan Lovells, and Cravath.
Category 2: Primary systems that touch client data, attorney work product and billing/financial information for matters, such as the systems listed above as well as the practice management system, electronic billing system, accounting system and other financial systems used for expense reporting and timekeeping. Examples: Nixon Peabody and Steptoe.
Category 3: All IT systems that touch client data, attorney work product, and confidential firm data (financial, HR, etc.). Example: Sullivan & Cromwell, King & Spalding, Katten and Troutman Sanders.
The larger the law firm, the narrower the scope tends to be. The scopes of ISO 27001 certificates for the largest law firms typically fall under Category 1 because their effort needs to be multiplied across offices around the globe. Category 1 is also a decent scope for firms if the primary driver for ISO 27001 certification is to provide assurance externally to third parties.
Category 2 is typically chosen by law firms that have a requirement to demonstrate the security of clients’ case information and financial information.
Category 3 is typically chosen by law firms that have a strong drive for ISO 27001 certification to provide assurance internally that the firm is following best practices to manage information security. Firms that fall into Category 3 also tend to be smaller, because it’s a simpler undertaking to implement an information security management system for the firm’s entire operation when there are fewer offices and staff to cover.
The most important thing for law firms to consider when establishing the scope of an ISO 27001 certification is the intended use of the certificate. The scope should cover what its stakeholders need it to cover, whether they are external (e.g. clients) or internal (e.g. management).
The advantage of benchmarking the scope of your law firm against others is you can choose to scope your ISO 27001 certificate to gain a competitive advantage by covering more areas than other law firms, or by covering fewer areas to gain certification faster than other firms your size. If the driver for ISO 27001 certification is internal, then more systems can be chosen for the scope to provide management with more governance for the firm. Or fewer systems can be chosen to get a quicker win for governance that will build momentum.
To talk over the options for scoping your law firm’s ISO 27001 certification effort with experts who have a wealth of experience in the legal vertical, contact Pivot Point Security.