Choosing A Suitable Cyber Certification Pathway
I’m sure you will all be familiar with Lexcel. The popular Law Society accreditation that is widely adopted by law firms. Lexcel is an accreditation that is widely respected as it helps create strong frameworks within practicing law firms.
The new version of the Lexcel standard (‘v6.1’) became mandatory for all assessments taking place from 1 November 2018. Within this version firms are recommended to implement the Government backed Cyber Essentials certification.
Cyber Essentials helps your law firm guard itself against the most common cyber threats and demonstrate your commitment to cyber security. Its infamous badge can be displayed on your email signature and on your website. Considered as the starting point for a good cyber security programme, it is particularly suitable for businesses with no existing Cyber Security certifications or for those who don’t have huge amounts of time or resource to dedicate to security.
However, how do you know whether Cyber Essentials is appropriate for your business? There are actually a few cyber and data accreditation routes out there that are worth considering depending on your firm’s size and infrastructure. Let’s take a look at these…
Firstly, you’ve got Cyber Essentials Plus. This is a step up from Cyber Essentials. It covers the same controls but this time is independently verified by a site visit from an expert assessor in comparison to the online self-assessment form of Cyber Essentials. You will achieve certification should you pass a thorough inspection of online devices through a detailed network vulnerability scan. Typically, this should be more appropriate for medium to large sized law firms with multiple offices and more complex infrastructures.
Next up is IASME Governance. The IASME Governance standard was developed over a number of years during a project funded by government to produce a cyber security standard which would be an affordable and reachable alternative to the international standard, ISO27001. This is everything in Cyber Essentials, plus some key additions.
These additions are a data protection 2018 readiness assessment and an evaluation of risk assessment and security risk management processes. It is perceived as a light version of ISO27001 and is appropriate for firms wanting to take the journey towards IS027001 who want a recognised stepping stone.
Alternatively, this also works well for firms who don’t have the resource for ISO27001 but who want to certify their technical and non-technical information management processes. The accreditation also comes with £25,000 worth of Cyber Insurance.
Lastly but by no means least is ISO27001. Most appropriate for large regional or city-based law firms, ISO27001 is seen as the gold standard of Information Security and is globally recognised. If, as a firm, you are keen to demonstrate that information security is richly embedded into your business processes and that it is taken seriously at all levels, not just IT, then ISO27001 is the appropriate step for you to take in the long run.
If currently you don’t have any accreditations in place, then starting your journey with IASME Governance is a good place to start in terms of achieving your long-term objective. CISO’s may also look at ISO27001 as a way to effectively demonstrate their role to the board.
The way you’re perceived with IS027001 across the B2B sector changes, it portrays you as a business that is well prepared, IT focused and has strong and robust processes in place.
As the legal sector continues to undergo rapid changes with regards to technology and infrastructure, the value of accreditations will rise. In the next few years we may see banks asking for specific accreditations in order for you to join their panel. Technology contracts may stipulate these as a requirement and customers will begin to familiarise themselves with the picture they paint of your organisation.
Of course, there’s no getting away from cybercrime with some sort of magic ingredient however choosing the right accreditation puts you on a stronger footing.
Here at Lawyer Checker we are ISO27001 and Cyber Essentials Plus accredited so we can support your accreditation journey and help you understand which one is most appropriate for your business before certifying you. To talk us about accreditations please contact me on [email protected] or 01829 307540.