ISO 27001 FastTrack Case Study

The client needed to be able to demonstrate best-in-class information security for its clients’ peace of mind.

ISO 27001 FastTrack.

A certifiable ISO 27001 information security management system delivered on time and within budget.

Leading legal firm Aberdein Considine was one of a select group of law firms in Scotland to attain the UKAS-accredited ISO 27001 certification, demonstrating its commitment to high standards of information security across all of its practice areas and 18 locations.

Aberdein Considine is a fast-growing law firm that recently recorded an annual turnover of £20 million. Building on the goodwill of clients is of paramount importance to gaining and retaining business and developing the brand.

With cyber crime on the increase, it is the duty of every member of staff to ensure client confidentiality by protecting data assets. Aberdein Considine favours using an international standards- based approach to ensure that it adapts to a changing world.

The equity partners agreed to adopt the internationally recognised standard ISO 27001 to reinforce Aberdein Considine’s commitment to its financial and banking clients. This would involve the cooperation and support of more than 350 members of staff across 18 offices in the Scottish regions, as these would all be ‘in-scope’ for the information security management system (ISMS).

It would be a challenge to gain certification before other law firms and lead the market. Nick Tinning, IT director at Aberdein Considine, selected IT Governance, a GRC Solutions company, to help implement an ISO 27001 ISMS, knowing that expert guidance would save time and money.

ISO 27001 sets out a clear framework for managing the security of an organisation’s information assets, including all forms of financial information, intellectual property, employee details and information entrusted to it by third parties. Client data records, case files and legal documents sent by other law firms also fall within this definition. This meant that there would be a great deal of confidential information included in the scope – information that would need to be protected by reliable and auditable procedures and controls.

Aberdein Considine was aware that the Standard is one of the hardest to comply with, and that the project would need to be supported with appropriate management skills and expert guidance. The project requirements for adoption of ISO 27001 across 18 office locations would include detailed planning and an implementation schedule designed with the help of consultants.

A senior risk consultant undertook a risk assessment that examined the firm’s information security practices and made recommendations to bring them into line with ISO 27001.

Aberdein Considine was subject to regular information security audits by its own auditors, as well as being audited by third-party auditors on behalf of its clients and partners.

In Nick’s words:

It made sense to certify to ISO 27001 because the workload of regular audits would be greatly eased by having evidence to show of internal standards compliance. Some of our major clients, including banks and other mortgage lenders, would accept ISO 27001 certification without the need for detailed audits, knowing that the certification body had done this. A risk assessment is also important to them and of course forms part of the ISO 27001:2013 requirements – hence adoption was a ‘no-brainer’; the only problem was likely to be the time it would take to bring 18 office locations and nearly 400 staff into scope.

The consultants provided on-site assistance that showed us how to get through the strain of an asset-based risk assessment (that’s the method that we chose, even though we were aware of the other options available in the new version of the Standard) and how to achieve a best fit with overlapping policies and procedures found in the firm’s business operations. The [GRC Solutions] consultancy team, working with me and my colleagues Dave Mitchell (HR Manager), Susan Barclay (Practice Manager) and Greig Robertson (Project Manager), was able to assist in the formation of an effective Information Security Project Committee to drive the project forward.

[GRC Solutions] made a significant contribution in showing us how to put together an intranet that enabled the sharing of workload. They also explained how to get the best out of the vsRisk software that we used in the risk assessment process – saving considerable time and effort. The [GRC Solutions] consultant delivered an on-site training programme that accelerated our progress towards Stage 1 audit. Stage 2 followed in August when we were approved for our ISO 27001 certification.

The [GRC Solutions] consultants provided the guidance and recommendation of the amount of detail to include in the documentation for our ISMS. One of the understandable assumptions that we made when we first started ISO 27001 was to cover ourselves by being over-inclusive; a practice which leads to more work in the long run just keeping the records up to date to satisfy the audit requirements.

We put our ISMS documentation online on the corporate intranet where it can be regularly updated. The firm used Microsoft SharePoint along with Adobe Forms to control, log and measure training with relative ease. The facility is there for people to review whenever they have a need to do so! The content is well structured and presented neatly (e.g. short, easy-to-read summary/intro pages hyperlinked to more detailed supporting pages containing the detail that’s there when it’s needed but not getting in the way of you reading the basic text).

We learned that with corporate policies, procedures and controls, shorter and more succinct is always better as it results in less to:

• Write;
• Review, consider, check out;
• Approve;
• Implement, i.e. mandate, circulate, put into practice;
• Read and understand;
• Train people about/make them aware of;
• Police, i.e. check/ensure compliance with, and audit against; and
• Maintain firm-wide continuity.

The project support provided by [GRC Solutions’s] consultants transferred the detailed knowledge that my team and I needed at each and every key stage in the adoption of ISO 27001.

Despite a heavy workload as IT director, Nick was able to deliver the ISO 27001 project outcomes on time and within budget.

Staff are trained in information security best practice on a regular basis, and Aberdein Considine is continually improving business processes and procedures. Managers can see the difference in the firm’s stance compared to its competitors in simple aspects like its clear desk policy, regular penetration test reports, and internal audits of its information security procedures.

All the relevant information security risks are assessed on an ongoing basis as part of the ISMS. For example, insider risk is evaluated, and background credit and DBS checks performed in reference to all staff appointments – no matter the duration of the contract. Everyone is aware of physical security risks like visual security of data on PCs and mobile devices, tailgating, and the need to protect paper documents and prevent data leakage.

Jacqueline Law, a corporate partner at Aberdein Considine, believes ISO 27001 certification reflects the importance the firm places on the security of its own and its clients’ information. She said: “The risk to data, whether it is through theft, malicious intent or accident, increases in tandem with the growing use of the Internet and new technologies to process what can be highly confidential information, and it is an area that the firm places great importance on. To achieve ISO 27001:2013 certification – one of only a handful of law firms in Scotland to achieve this – is incredibly pleasing and recognises our commitment to high standards of information asset security.”

Specially formulated for small businesses with 20 employees or fewer, our ISO 27001 FastTrack service will help you achieve ISO 27001 certification in just three months for a one-off fee. It ensures you have an ISMS capable of certification within three months; if you intend to seek certification, this service can be extended with our ISO 27001 FastTrack™ Managed Service, which provides additional ongoing support through certification and beyond.

GRC Solutions has more than 20 years’ experience helping organisations get their cyber security right, working with boards and senior managers in large and small businesses to
identify and manage cyber risks in line with the organisation’s risk appetite and commercial business drivers.

• Our ISO 27001 implementation methodology has been honed over 15 years.
• We are known as the global authority on ISO 27001 – our management team led the world’s first ISO 27001 certification project (formerly known as BS 7799).
• We offer everything you need to implement an ISO 27001-compliant ISMS – you don’t need to go anywhere else.
• You benefit from real-world practitioner expertise, not just academic knowledge.
• We have trained more than 7,000 professionals on ISO 27001 implementations and audits worldwide.
• We have helped more than 600 consultancy clients achieve certification to and compliance with ISO 27001.
• We have a proven and pragmatic approach to assessing compliance with international standards, no matter the size or nature of your organisation.
• Our pricing and proposals are completely transparent, so you won’t get any surprises.
• We can help small organisations prepare for ISO 27001 certification in three months.