![Page 1: ISO-27001 for Law Firms - ilta.personifycloud.comilta.personifycloud.com/webfiles/productfiles/1878002/ISO_27001v1.pdf · 16 Benefits of ISO 27001 Certification •ISO 27001 is an](https://reader033.vdocuments.site/reader033/viewer/2022042620/5ab1e1797f8b9ac66c8d0373/html5/thumbnails/1.jpg)
ISO-27001 for Law Firms LegalSEC Summit 2014 Thursday, 6/12/2014, 9:30 – 10:30 am
![Page 2: ISO-27001 for Law Firms - ilta.personifycloud.comilta.personifycloud.com/webfiles/productfiles/1878002/ISO_27001v1.pdf · 16 Benefits of ISO 27001 Certification •ISO 27001 is an](https://reader033.vdocuments.site/reader033/viewer/2022042620/5ab1e1797f8b9ac66c8d0373/html5/thumbnails/2.jpg)
ISO-27001 for Law Firms LegalSEC Summit 2014 Thursday, 6/12/2014, 9:30 – 10:30 am
![Page 3: ISO-27001 for Law Firms - ilta.personifycloud.comilta.personifycloud.com/webfiles/productfiles/1878002/ISO_27001v1.pdf · 16 Benefits of ISO 27001 Certification •ISO 27001 is an](https://reader033.vdocuments.site/reader033/viewer/2022042620/5ab1e1797f8b9ac66c8d0373/html5/thumbnails/3.jpg)
3
Introduction
Andreas Antoniou Chief Information Officer Paul, Weiss, Rifkind, Wharton & Garrison LLP
Jeff Franchetti Chief Information Officer Cravath, Swaine & Moore LLP
Peter Kaomea Chief Information Officer Sullivan & Cromwell LLP
![Page 4: ISO-27001 for Law Firms - ilta.personifycloud.comilta.personifycloud.com/webfiles/productfiles/1878002/ISO_27001v1.pdf · 16 Benefits of ISO 27001 Certification •ISO 27001 is an](https://reader033.vdocuments.site/reader033/viewer/2022042620/5ab1e1797f8b9ac66c8d0373/html5/thumbnails/4.jpg)
4
Agenda
Why get ISO 27001 certified?
What is ISO 27001?
How to get ISO 27001 certified?
![Page 5: ISO-27001 for Law Firms - ilta.personifycloud.comilta.personifycloud.com/webfiles/productfiles/1878002/ISO_27001v1.pdf · 16 Benefits of ISO 27001 Certification •ISO 27001 is an](https://reader033.vdocuments.site/reader033/viewer/2022042620/5ab1e1797f8b9ac66c8d0373/html5/thumbnails/5.jpg)
5
Why get ISO 27001 certified? ISO-27001 for Law Firms LegalSEC Summit 2014
![Page 6: ISO-27001 for Law Firms - ilta.personifycloud.comilta.personifycloud.com/webfiles/productfiles/1878002/ISO_27001v1.pdf · 16 Benefits of ISO 27001 Certification •ISO 27001 is an](https://reader033.vdocuments.site/reader033/viewer/2022042620/5ab1e1797f8b9ac66c8d0373/html5/thumbnails/6.jpg)
6
Benefits of ISO 27001
Security Compliance
![Page 7: ISO-27001 for Law Firms - ilta.personifycloud.comilta.personifycloud.com/webfiles/productfiles/1878002/ISO_27001v1.pdf · 16 Benefits of ISO 27001 Certification •ISO 27001 is an](https://reader033.vdocuments.site/reader033/viewer/2022042620/5ab1e1797f8b9ac66c8d0373/html5/thumbnails/7.jpg)
7
Benefits: Security
• Law firms have high concentrations of confidential information spanning hundreds or thousands of clients
• We are facing increasing data privacy regulation (EU-Data Protection Act, US Privacy laws in 46 states, PIPEDA, HIPAA Omnibus)
• Clients are increasingly interested in information security in Requests for Proposals, Engagement Letters, Audits, etc.
• National security organizations have engaged many firms about the importance of protecting client confidences and about specific breaches
Preventing Law Firm Data Breaches Volume 38 Number 1 … Shane Sims, a security practice director at Pricewaterhouse-Coopers, has said, “Absolutely we’ve seen targeted attacks against law firms in the last 12 to 24 months because hackers, including state sponsors, are realizing there’s economic intelligence in those networks especially related to business deals, mergers and acquisitions.”
![Page 8: ISO-27001 for Law Firms - ilta.personifycloud.comilta.personifycloud.com/webfiles/productfiles/1878002/ISO_27001v1.pdf · 16 Benefits of ISO 27001 Certification •ISO 27001 is an](https://reader033.vdocuments.site/reader033/viewer/2022042620/5ab1e1797f8b9ac66c8d0373/html5/thumbnails/8.jpg)
8
Protecting information helps protect firm brand
![Page 9: ISO-27001 for Law Firms - ilta.personifycloud.comilta.personifycloud.com/webfiles/productfiles/1878002/ISO_27001v1.pdf · 16 Benefits of ISO 27001 Certification •ISO 27001 is an](https://reader033.vdocuments.site/reader033/viewer/2022042620/5ab1e1797f8b9ac66c8d0373/html5/thumbnails/9.jpg)
9
Benefits of ISO 27001
• ISO 27001 is:
• Compliance
•an internationally recognized,
•externally certifiable standard
• Security
• that specifies a risk-based framework to
• initiate, implement, maintain, and continuously mature information security within an organization.
![Page 10: ISO-27001 for Law Firms - ilta.personifycloud.comilta.personifycloud.com/webfiles/productfiles/1878002/ISO_27001v1.pdf · 16 Benefits of ISO 27001 Certification •ISO 27001 is an](https://reader033.vdocuments.site/reader033/viewer/2022042620/5ab1e1797f8b9ac66c8d0373/html5/thumbnails/10.jpg)
10
Benefits: Demonstrates Due Care & Infosec Process Maturity
![Page 11: ISO-27001 for Law Firms - ilta.personifycloud.comilta.personifycloud.com/webfiles/productfiles/1878002/ISO_27001v1.pdf · 16 Benefits of ISO 27001 Certification •ISO 27001 is an](https://reader033.vdocuments.site/reader033/viewer/2022042620/5ab1e1797f8b9ac66c8d0373/html5/thumbnails/11.jpg)
11
Benefits: Helps with Client Audits
“…In addition, if your company is in possession of any
Information Security certification (e.g. BSI, SSAE 16 CSA
CCM, ISO 27001, PCI DSS) or audit reports, please
provide them before filling out the questionnaire as they
may be sufficient proof of proper Information
Security in your company and no further engagement
will be required.”
![Page 12: ISO-27001 for Law Firms - ilta.personifycloud.comilta.personifycloud.com/webfiles/productfiles/1878002/ISO_27001v1.pdf · 16 Benefits of ISO 27001 Certification •ISO 27001 is an](https://reader033.vdocuments.site/reader033/viewer/2022042620/5ab1e1797f8b9ac66c8d0373/html5/thumbnails/12.jpg)
12
Benefits: High “Law” of the Land
HIPAA
SOX
SOC2
Privacy Laws
ISO-27001/2 The Universe of Controls
NIST / FISMA
![Page 13: ISO-27001 for Law Firms - ilta.personifycloud.comilta.personifycloud.com/webfiles/productfiles/1878002/ISO_27001v1.pdf · 16 Benefits of ISO 27001 Certification •ISO 27001 is an](https://reader033.vdocuments.site/reader033/viewer/2022042620/5ab1e1797f8b9ac66c8d0373/html5/thumbnails/13.jpg)
13
Benefits: Growing as Industy Standard
Requests for 27001 Certification are and
will continue to escalate rapidly
* Certification counts do not only show law firms
![Page 14: ISO-27001 for Law Firms - ilta.personifycloud.comilta.personifycloud.com/webfiles/productfiles/1878002/ISO_27001v1.pdf · 16 Benefits of ISO 27001 Certification •ISO 27001 is an](https://reader033.vdocuments.site/reader033/viewer/2022042620/5ab1e1797f8b9ac66c8d0373/html5/thumbnails/14.jpg)
14
ISO-27001 Momentum in the Legal Industry
ISO-27001 is also used extensively in e-Discovery service providers (e.g., CDS, RVM, Daegis, Espion)
ISO 27001 Certified
Allen & Overy Bond Dickinson Clifford Chance Cravath, Swaine & Moore Hogan Lovells Irwin Mitchell Linklaters Orrick, Herrington & Sutcliffe Paul, Weiss, Rifkind, Wharton & Garrison Simpson Thacher & Bartlett Sullivan & Cromwell White & Case
Working Towards or Investigating Certification
Buckley Sandler Cleary Gottlieb Steen & Hamilton Davis Polk & Wardwell Debevoise & Plimpton Fried, Frank, Harris, Shriver Holland & Knight Jones Day Kramer Levin Proskauer Ropes & Gray Shearman & Sterling Skadden, Arps, Slate, Meagher & Flom Taft Stettinius & Hollister von Briesen & Roper Wilmer Hale Winston & Strawn
![Page 15: ISO-27001 for Law Firms - ilta.personifycloud.comilta.personifycloud.com/webfiles/productfiles/1878002/ISO_27001v1.pdf · 16 Benefits of ISO 27001 Certification •ISO 27001 is an](https://reader033.vdocuments.site/reader033/viewer/2022042620/5ab1e1797f8b9ac66c8d0373/html5/thumbnails/15.jpg)
15
ISO 27001 is a superset of frameworks and regulations
HIPAA
SOX
SOC2
Privacy Laws
ISO-27001/2 The Universe of Controls
NIST / FISMA
![Page 16: ISO-27001 for Law Firms - ilta.personifycloud.comilta.personifycloud.com/webfiles/productfiles/1878002/ISO_27001v1.pdf · 16 Benefits of ISO 27001 Certification •ISO 27001 is an](https://reader033.vdocuments.site/reader033/viewer/2022042620/5ab1e1797f8b9ac66c8d0373/html5/thumbnails/16.jpg)
16
Benefits of ISO 27001 Certification
• ISO 27001 is an internationally recognized, certifiable standard that specifies a risk-based framework to initiate, implement, maintain, and manage information security within an organization. Accordingly, it can help us to rationalize and prioritize our security initiatives and investments.
• Information security is required to protect the confidentiality, integrity, and availability of client, firm, and personal data and by doing that protect brand and reputation.
• Some clients are requesting it to augment or replace parts of their own audits.
• An increasing number of law firms are achieving ISO certification and are reporting that it helps with information security audits by clients.
• ISO 27001 is a “superset” of many other information security frameworks and regulatory controls.
![Page 17: ISO-27001 for Law Firms - ilta.personifycloud.comilta.personifycloud.com/webfiles/productfiles/1878002/ISO_27001v1.pdf · 16 Benefits of ISO 27001 Certification •ISO 27001 is an](https://reader033.vdocuments.site/reader033/viewer/2022042620/5ab1e1797f8b9ac66c8d0373/html5/thumbnails/17.jpg)
17
What is ISO 27001? ISO-27001 for Law Firms LegalSEC Summit 2014
![Page 18: ISO-27001 for Law Firms - ilta.personifycloud.comilta.personifycloud.com/webfiles/productfiles/1878002/ISO_27001v1.pdf · 16 Benefits of ISO 27001 Certification •ISO 27001 is an](https://reader033.vdocuments.site/reader033/viewer/2022042620/5ab1e1797f8b9ac66c8d0373/html5/thumbnails/18.jpg)
18
ISO Myths
• It’s just a bunch of documents
• It requires a huge investment in technology
• It is only applicable to “big law”
• It is something we can just pass off to our Security Manager
![Page 19: ISO-27001 for Law Firms - ilta.personifycloud.comilta.personifycloud.com/webfiles/productfiles/1878002/ISO_27001v1.pdf · 16 Benefits of ISO 27001 Certification •ISO 27001 is an](https://reader033.vdocuments.site/reader033/viewer/2022042620/5ab1e1797f8b9ac66c8d0373/html5/thumbnails/19.jpg)
19
What is ISO 27001?
• ISO 27001 is
• an internationally recognized,
• certifiable standard
• that specifies a risk-based framework
• to initiate, implement, maintain, & manage information security within an organization.
![Page 20: ISO-27001 for Law Firms - ilta.personifycloud.comilta.personifycloud.com/webfiles/productfiles/1878002/ISO_27001v1.pdf · 16 Benefits of ISO 27001 Certification •ISO 27001 is an](https://reader033.vdocuments.site/reader033/viewer/2022042620/5ab1e1797f8b9ac66c8d0373/html5/thumbnails/20.jpg)
20
I.T.
Maturity Models
Chaotic > ad hoc > undocumented > unpredictable
Reactive > fight fires
Proactive > automate
Predictive > Operational Excellence
Value
![Page 21: ISO-27001 for Law Firms - ilta.personifycloud.comilta.personifycloud.com/webfiles/productfiles/1878002/ISO_27001v1.pdf · 16 Benefits of ISO 27001 Certification •ISO 27001 is an](https://reader033.vdocuments.site/reader033/viewer/2022042620/5ab1e1797f8b9ac66c8d0373/html5/thumbnails/21.jpg)
21
PWC US Cybercrime report (June 2014)
#1 issue that should concern you
Spending on cybersecurity with a misaligned (or without a) strategy isn’t smart
• Must prioritize security investments based on risk and impact to the business.
• Must classify the business value of data assets.
• Must have senior executive engagement and commitment.
Need a System, Structure, Framework
![Page 22: ISO-27001 for Law Firms - ilta.personifycloud.comilta.personifycloud.com/webfiles/productfiles/1878002/ISO_27001v1.pdf · 16 Benefits of ISO 27001 Certification •ISO 27001 is an](https://reader033.vdocuments.site/reader033/viewer/2022042620/5ab1e1797f8b9ac66c8d0373/html5/thumbnails/22.jpg)
22
ISO Standard documents
First Edition – 2005 1. Scope 2. Normative references 3. Terms & definitions 4. ISMS 5. Management Responsibility 6. Internal ISMS audits 7. Management Review 8. ISMS improvement Annex A – Control objectives
• 11 Domains • 39 Control Objectives • 133 Controls
http://www.iso.org ($130)
“Sister Document”
ISO 27002
12 pages
Setting up your System
![Page 23: ISO-27001 for Law Firms - ilta.personifycloud.comilta.personifycloud.com/webfiles/productfiles/1878002/ISO_27001v1.pdf · 16 Benefits of ISO 27001 Certification •ISO 27001 is an](https://reader033.vdocuments.site/reader033/viewer/2022042620/5ab1e1797f8b9ac66c8d0373/html5/thumbnails/23.jpg)
23
ISMS (Information Security Management System)
First Edition – 2005 1. Scope 2. Normative references 3. Terms & definitions 4. ISMS 5. Management Responsibility 6. Internal ISMS audits 7. Management Review 8. ISMS improvement Annex A – Control objectives
• 11 Domains • 39 Control Objectives • 133 Controls
ISO 27002
ISMS
Mgt Review
Risk Assessment
Treatment
![Page 24: ISO-27001 for Law Firms - ilta.personifycloud.comilta.personifycloud.com/webfiles/productfiles/1878002/ISO_27001v1.pdf · 16 Benefits of ISO 27001 Certification •ISO 27001 is an](https://reader033.vdocuments.site/reader033/viewer/2022042620/5ab1e1797f8b9ac66c8d0373/html5/thumbnails/24.jpg)
24
Example: Laptop stolen from car
• You can protect your laptop with a password
• You can also encrypt your disk
• You can add a policy that you can not leave your laptop in your car.
• You can also ask your employees to sign a TOU statement
• You can also train and make your employees aware of these risks (best practices)
The controls are never just IT related. And only with these combined controls
can we be confident in our security Easy?
![Page 25: ISO-27001 for Law Firms - ilta.personifycloud.comilta.personifycloud.com/webfiles/productfiles/1878002/ISO_27001v1.pdf · 16 Benefits of ISO 27001 Certification •ISO 27001 is an](https://reader033.vdocuments.site/reader033/viewer/2022042620/5ab1e1797f8b9ac66c8d0373/html5/thumbnails/25.jpg)
25
ISO 27001
First Edition – 2005 1. Scope 2. Normative references 3. Terms & definitions 4. ISMS 5. Management Responsibility 6. Internal ISMS audits 7. Management Review 8. ISMS improvement Annex A – Control objectives
• 11 Domains • 39 Control Objectives • 133 Controls
ISMS
Mgt Review
Risk Assessment
Treatment
![Page 26: ISO-27001 for Law Firms - ilta.personifycloud.comilta.personifycloud.com/webfiles/productfiles/1878002/ISO_27001v1.pdf · 16 Benefits of ISO 27001 Certification •ISO 27001 is an](https://reader033.vdocuments.site/reader033/viewer/2022042620/5ab1e1797f8b9ac66c8d0373/html5/thumbnails/26.jpg)
26
Formal Process - Documentation
![Page 27: ISO-27001 for Law Firms - ilta.personifycloud.comilta.personifycloud.com/webfiles/productfiles/1878002/ISO_27001v1.pdf · 16 Benefits of ISO 27001 Certification •ISO 27001 is an](https://reader033.vdocuments.site/reader033/viewer/2022042620/5ab1e1797f8b9ac66c8d0373/html5/thumbnails/27.jpg)
27 27
The (1st) standard contains 11 domains
Organization
of
Security
Security
Policy
Human
Resources
Security
Info.Systems
Acquisition,
Dev & Maint
Access
Control
Risk &
Compliance
Physical &
Environment
Security
Asset
Management
Business
Continuity
Management
Communica-
tions &
Operations
Management Information
Security
Incident
Management
Standard Areas:
Domain Areas – 11
Control Objectives – 39
Controls - 133
![Page 28: ISO-27001 for Law Firms - ilta.personifycloud.comilta.personifycloud.com/webfiles/productfiles/1878002/ISO_27001v1.pdf · 16 Benefits of ISO 27001 Certification •ISO 27001 is an](https://reader033.vdocuments.site/reader033/viewer/2022042620/5ab1e1797f8b9ac66c8d0373/html5/thumbnails/28.jpg)
28
Example: Security Policy
Domain
Objective
Control
Control
Organization
of
Security
Security
Policy
Asset
Management
Physical &
Environment
Security
Human
Resources
Security
Comm &
Operations
Management
Access
Control
InfoSystems
Acquisition,
Dev & Maint
Business
Continuity
Management
Info Security
Incident
Management
Risk &
Compliance
![Page 29: ISO-27001 for Law Firms - ilta.personifycloud.comilta.personifycloud.com/webfiles/productfiles/1878002/ISO_27001v1.pdf · 16 Benefits of ISO 27001 Certification •ISO 27001 is an](https://reader033.vdocuments.site/reader033/viewer/2022042620/5ab1e1797f8b9ac66c8d0373/html5/thumbnails/29.jpg)
29
Example: Human Resources Security
Organization
of
Security
Security
Policy
Asset
Management
Physical &
Environment
Security
Human
Resources
Security
Comm &
Operations
Management
Access
Control
InfoSystems
Acquisition,
Dev & Maint
Business
Continuity
Management
Info Security
Incident
Management
Risk &
Compliance
A 8.1 Prior to employment
- Roles & Responsibilities - Screening - Terms & Conditions of employment
A 8.2 During Employment
- Management responsibilities - Information security awareness, education & training - Disciplinary process
A 8.3 Termination or change of employment
- Termination responsibilities - Return of assets - Removal of access rights
27002
![Page 30: ISO-27001 for Law Firms - ilta.personifycloud.comilta.personifycloud.com/webfiles/productfiles/1878002/ISO_27001v1.pdf · 16 Benefits of ISO 27001 Certification •ISO 27001 is an](https://reader033.vdocuments.site/reader033/viewer/2022042620/5ab1e1797f8b9ac66c8d0373/html5/thumbnails/30.jpg)
30
ISO 27001
First Edition – 2005 1. Scope 2. Normative references 3. Terms & definitions 4. ISMS 5. Management Responsibility 6. Internal ISMS audits 7. Management Review 8. ISMS improvement Annex A – Control objectives
• 11 Domains • 39 Control Objectives • 133 Controls
ISMS
Mgt Review
Risk Assessment
Treatment
![Page 31: ISO-27001 for Law Firms - ilta.personifycloud.comilta.personifycloud.com/webfiles/productfiles/1878002/ISO_27001v1.pdf · 16 Benefits of ISO 27001 Certification •ISO 27001 is an](https://reader033.vdocuments.site/reader033/viewer/2022042620/5ab1e1797f8b9ac66c8d0373/html5/thumbnails/31.jpg)
31
Law Firm Consultant (optional)
Registrar
Prepare & Validate Audit/Certify
Senior Management CIO/CSO DMS Admin Network Admin System Admin Practice Lead Human Resources Legal/Compliance Physical Security
http://www.bsigroup.org
Example:
Additional Details
© 2010 Pivot Point Security, Inc.
Who is involved?
It depends…
• Scope • Current gap • Firm capacity to efficiently make necessary changes • Schedule
Estimates • Certification Costs ($10K - $15K) • Ongoing “Post-Certification” Costs: ($3K – $5K)
• Consulting Costs ($0 – $80K) - optional
4 – 18 months dependent upon
• Scope, Gap, Resource Availability
• Budget, Client Demand
• ISMS expertise
• Willingness to disrupt BAU
Education & Risk Assessment
1 – 2 months
Gap Analysis & Planning
1 – 3 months
Remediation
1-10 months
Certification
1-2 months
What does it cost? How long does it take?
![Page 32: ISO-27001 for Law Firms - ilta.personifycloud.comilta.personifycloud.com/webfiles/productfiles/1878002/ISO_27001v1.pdf · 16 Benefits of ISO 27001 Certification •ISO 27001 is an](https://reader033.vdocuments.site/reader033/viewer/2022042620/5ab1e1797f8b9ac66c8d0373/html5/thumbnails/32.jpg)
32
How to get ISO 27001 certified? ISO-27001 for Law Firms LegalSEC Summit 2014
![Page 33: ISO-27001 for Law Firms - ilta.personifycloud.comilta.personifycloud.com/webfiles/productfiles/1878002/ISO_27001v1.pdf · 16 Benefits of ISO 27001 Certification •ISO 27001 is an](https://reader033.vdocuments.site/reader033/viewer/2022042620/5ab1e1797f8b9ac66c8d0373/html5/thumbnails/33.jpg)
33
ISO-27001 “Road Map” to Certification
1. We admitted we were powerless over alcohol—that our lives had become unmanageable.
2. Came to believe that a power greater than ourselves could restore us to sanity.
3. Made a decision to turn our will and our lives over to the care of God as we understood Him.
4. Made a searching and fearless moral inventory of ourselves.
5. Admitted to God, to ourselves, and to another human being the exact nature of our wrongs.
6. Were entirely ready to have God remove all these defects of character.
7. Humbly asked Him to remove our shortcomings.
8. Made a list of all persons we had harmed, and became willing to make amends to them all.
9. Made direct amends to such people wherever possible, except when to do so would injure them or others.
10. Continued to take personal inventory, and when we were wrong, promptly admitted it.
11. Sought through prayer and meditation to improve our conscious contact with God as we understood Him, praying only for knowledge of His will for us and the power to carry that out.
12. Having had a spiritual awakening as the result of these steps, we tried to carry this message to alcoholics, and to practice these principles in all our affairs.
The 12 Steps
![Page 34: ISO-27001 for Law Firms - ilta.personifycloud.comilta.personifycloud.com/webfiles/productfiles/1878002/ISO_27001v1.pdf · 16 Benefits of ISO 27001 Certification •ISO 27001 is an](https://reader033.vdocuments.site/reader033/viewer/2022042620/5ab1e1797f8b9ac66c8d0373/html5/thumbnails/34.jpg)
34
ISO-27001 “Road Map” to Certification
1. We admitted we were powerless over security—that our lives had become unmanageable.
2. Came to believe that a power greater than ourselves could restore us to sanity.
3. Made a decision to turn our will and our lives over to the care of ISO 27001.
4. Made a searching and fearless moral inventory of systems.
5. Admitted to ISO, to ourselves, and to another human being the exact nature of our wrongs.
6. Were entirely ready to have ISO remove all these defects of character.
7. Humbly asked ISO to remove our shortcomings.
8. Made a list of all systems we had harmed, and became willing to make amends to them all.
9. Made direct amends to such people wherever possible, except when to do so would injure them or others.
10. Continued to take personal inventory, and when we were wrong, promptly admitted it.
11. Sought through corrective and preventative actions to improve our conscious contact with ISO, praying only for knowledge of ISO’s will for us and the power to carry that out.
12. Having had a spiritual awakening as the result of these steps, we tried to carry this message to other law firms, and to practice these principles in all our affairs.
The 12 Steps to ISO Certification
![Page 35: ISO-27001 for Law Firms - ilta.personifycloud.comilta.personifycloud.com/webfiles/productfiles/1878002/ISO_27001v1.pdf · 16 Benefits of ISO 27001 Certification •ISO 27001 is an](https://reader033.vdocuments.site/reader033/viewer/2022042620/5ab1e1797f8b9ac66c8d0373/html5/thumbnails/35.jpg)
35
ISO-27001 “Road Map” to Certification
1. Obtain Management Buy-in
2. Apply a Project Management Framework
3. Perform Gap Analysis
4. Define Scope
5. Publish an ISMS Policy
6. Perform Risk Assessment
7. Develop a Risk Treatment Plan
8. Publish a Statement of Applicability
9. Implement Controls and Procedures
10. Operate, Monitor and Measure the ISMS
11. Perform an Internal Audit
12. Certification
Cravath, Swaine & Moore LLP SCOPE: A framework of information security management processes, practices and controls that ensure the confidentiality, integrity, and availability of firm wide IT infrastructure and services that enable the business processes and activities supported by Document Management Service (DMS), Email Services (EMS), Litigation Document Storage Service (LDSS) & Remote Access Services (RAS). Paul, Weiss, Rifkind, Wharton & Garrison, LLP SCOPE: Information Security Management System (ISMS): a framework of processes and control specifications to the configuration, provision, and management of Document Management Service (DMS), Email Service (EMS), Remote Access Services (RAS), and Mobile Device Management Services (MDMS) protecting client and firm information assets globally. These activities take place in the SunGard co-location data center located in New Jersey and within the Paul Weiss offices located in NY, NY. Sullivan & Cromwell LLP The ISMS (Information Security Management System) supports and protects the security of Sullivan & Cromwell LLP client and firm data and associated confidential information residing in NY, NY.
![Page 36: ISO-27001 for Law Firms - ilta.personifycloud.comilta.personifycloud.com/webfiles/productfiles/1878002/ISO_27001v1.pdf · 16 Benefits of ISO 27001 Certification •ISO 27001 is an](https://reader033.vdocuments.site/reader033/viewer/2022042620/5ab1e1797f8b9ac66c8d0373/html5/thumbnails/36.jpg)
Questions?
Are you ready to pitch ISO 27001 within your own firms?
Visit the ILTA Knowledge Bank to download a consolidated version of this presentation.
![Page 37: ISO-27001 for Law Firms - ilta.personifycloud.comilta.personifycloud.com/webfiles/productfiles/1878002/ISO_27001v1.pdf · 16 Benefits of ISO 27001 Certification •ISO 27001 is an](https://reader033.vdocuments.site/reader033/viewer/2022042620/5ab1e1797f8b9ac66c8d0373/html5/thumbnails/37.jpg)
37 37
ADDITIONAL SLIDES
![Page 38: ISO-27001 for Law Firms - ilta.personifycloud.comilta.personifycloud.com/webfiles/productfiles/1878002/ISO_27001v1.pdf · 16 Benefits of ISO 27001 Certification •ISO 27001 is an](https://reader033.vdocuments.site/reader033/viewer/2022042620/5ab1e1797f8b9ac66c8d0373/html5/thumbnails/38.jpg)
38
ISO 27001:2013 – Second Edition
First Edition – 2005 1. Scope 2. Normative references 3. Terms & definitions 4. ISMS 5. Management Responsibility 6. Internal ISMS audits 7. Management Review 8. ISMS improvement Annex A – Control objectives
• 11 Domains • 39 Control Objectives • 133 Controls
Second Edition – 2013 1. Scope 2. Normative references 3. Context of the organization 4. Leadership 5. Planning Support 6. Operation 7. Performance Evaluation 8. Improvement Annex A – Reference controls
• 14 Domains • 35 Control Objectives • 114 Controls
http://www.iso.org ($130)