Ricci Dipshan , Legaltech News
The ISO 27001 Global Report finds
that the certification provides legal professionals with a competitive edge in
fostering and growing client relations.
The ISO 27001
cybersecurity certification, which provides standards for information security
management, is becoming a vital asset for law firms looking to maintain and
grow their business in the modern economy, according to the ISO 27001 Global
Report 2016.
The report surveyed information security professionals
from a variety of industries, including law, tech and financial services, from
organizations in 53 countries around the world, including the U.S., U.K., India
and South Africa. A majority of respondents (80 percent) had information
security structures that were either already ISO 27001 certified (40 percent)
or in the process of obtaining certification in the "near future" (40
percent).
While 69 percent of respondents noted the main driver
for obtaining and implementing ISO 27001 was improving or creating information
security within their organization, an almost equal amount (67 percent) said
they were driven to the certification due to the nature of their industry or
business requirements.
Over half (56 percent) also turned to ISO 27001 to
gain a competitive advantage or meet legal and regulatory compliance needs,
while around one-third said certification was necessary for garnering new
business (35 percent) or meeting the demands of their clients (33 percent).
Indeed, the report found that clients are proactively
vetting organizations that claim to be ISO 27001 certified, with 71 percent of
respondents noting that their organization receives regular or occasional requests
from current and prospective clients to provide evidence of certification.
Alan Calder, CEO of information governance solution
provider IT Governance Ltd. noted that there is an "increasing take up of
ISO 27001 from organizations that understand the importance of providing
assurance around corporate data protection," intellectual property and
personally identifiable information (PII).
He added that ISO 27001 is moving from "a
nice-to-have to a must-have" certification. "Top global law firms,
tech businesses, retail organizations—they're all starting to recognize that
information security management is mission-critical," he said.
In addition, David Ray, director of information
governance at Consilio noted the certification is "becoming an expectation
particularly among premier law firms."
"It forces the entire organization to look at
everything from training to security controls. So when I go talk to a law firm
that has gone through this process, they are able to answer my questions much
more quickly and thoroughly, compared to an organization that hasn't gone
through that discipline," he said.
This certification is particularly important when law
firms take on clients in the financial industry, "where there is the
perception that [law firms] are still not as good as some traditional vendors
that are used to handling sensitive data," Ray added.
Despite the market demands for ISO 27001
certification, however, the survey found that getting upper management's
approval for certification is not always an easy task. Slightly over half (51
percent) of respondents noted that they had problems convincing board-level
managers about the importance of information security or securing the resources
needed to implement certification.
While only 38 percent of survey respondents said they
tracked the cost of implementing ISO 27001 certification, the consensus among
that group was that ISO 27001 expenditures ranged between $6,500 to $26,000. A
broader group of respondents also agreed that the median length of time to
implement was six months to a full year.
Aside from budgeting and time, implementing an ISO
27001 information security program also faced challenges against an unwilling
or unable employee base, with 41 percent of respondents considering employee
buy-in the main barrier to execution. An almost equal amount (39 percent) also
cited the challenge of ensuring the right level of expertise in-house for such
implementation.
No comments:
Post a Comment