Lexcel and ISO27001 still enjoy a good relationship. Here, Advent IM Security Consultant, Steve Foley, has a look at the updated Lexcel…
A number of years ago a colleague published a blog addressing the ‘Rumoured’ death of Lexcel. The title to that piece was a little tongue in cheek as the content actually pointed to the continued increase in uptake of the accreditation within legal practices. Looking at present day and figures published by the Solicitor’s Regulation Authority and the Law Society suggest that of the 10,393 (May 2018) law firms registered in England and Wales 1,732, some 16 percent are accredited to Lexcel as a standard. As Information Security Consultancy is one of our core business deliverables, the blog continued to cover the correlation between that quality management standard and how it mapped across to a number of clauses within the globally recognised ISO/IEC 27001 – Information Security Management System.
Well here we are in July 2018 and the latest Lexcel Quality Management System publication has arrived to allow firms to consider and manage the impact of the following regulations and Act upon their business;
• The General Data Protection Regulation (Regulation (EU) 2016/679);
• The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017;
• The European Union Financial Sanctions (Amendment of Information Provisions) Regulations 2017; and
• The Criminal Finances Act 2017.
Although the standard launched last month, members of the law society applying for initial or re-accreditation will not be assessed against the new standard until November of this year to allow time for policies to be updated and to be embedded within organisational business as usual.
Certification to recognised standards is becoming increasingly relevant to service providers as organisations look to outsource more and more of their business. As part of due diligence and adherence to relevant regulation, the level of assurance that certification can provide, certainly becomes a business enabler in assisting the tender process.
Also, customers are now savvier in regard to Data Privacy Regulation following the introduction of GDPR this May, the increase of and reporting of data breaches throughout large organisation’s and the no doubt soon to follow headline grabbing data breach fines somewhere throughout the EU. This will no doubt have an impact on which organisations the more astute choose to do business with.
On the subject of GDPR or more appropriately the UK implementation, the Data Protection Act 2018, the application of a management system will help address a number of articles contained within and will demonstrate a strong attitude to Data Privacy, Information Security and the continual improvement of such areas that in turn would help organisations be compliant against such legislation and reduce the threat of an incredibly hefty monetary charge from the ICO.
Whilst they do not marry up entirely, a large number of the requirements of Lexcel do map to ISO/IEC 27001, this relationship between the two standards will be strengthened later this year with the introduction of ISO/IEC 270552 – Enhancement to ISO/IEC 27001 for privacy management.
The overall take away is to choose a suitable standard to certify against as the benefits must be considered to outweigh the risk of having nothing in place. The benefit of demonstrably setting your organisation apart from other legal practices within the country, demonstrating that the sensitive nature of the data you hold is recognised and you treat it safely and securely and being certified to a recognised standard will allow you to tender for numerous contracts where certification is a pre-requisite.
Traditionally in our experience law firms, such as solicitors, have relied on compliance with Lexcel regulations, and the Data Protection Act, to provide adequate security measures to combat threats from say typically malicious insiders or burglars to their attractive data and information databases. In these days of cyber-based threats these traditional defences are clearly inadequate to deal with far more complex and persistent threats posed by external individuals and groups (such as Serious and Organised Crime) that have far more capability and motivation than ever before out in the Internet. Perhaps this is due to increased (or in many cases new) connectivity of law firm systems to being online 24/7 to the outside world and the additional threats that it poses and typically no single individual within the business having responsibility for information security? It is certainly the case that attacks on law firms are on the increase including for example, scam ‘mandate frauds’ where a fraudster impersonates a known contact, such as a bank or a client, and asking the law firm employee to change the sort code and account number, either for making a known payment (e.g. in a conveyancing transaction) or else, ‘to safeguard the client account against a fraud’. Monies will then leave the business account and go to an account controlled by the fraudster and the liability of the financial loss will normally be with the Solicitor say for authorising the changes
The need for robust and effective cyber security controls for small to medium sized business including legal firms has been recognised by Government’s National Cyber Security Strategy with their recent investment in a wide range of supporting measures, including:
All of these initiatives and measures are good in increasing awareness of the risks that solicitors and other law firms face but at the same time the businesses themselves must think seriously about how they can continuously mitigate the increasing cyber threat by ensuring that they have implemented best security practices such as appointing senior management / partners with a specific responsibility for all security matters including the traditional physical and personnel measures but now expanded to include organisational, policy and procedures, IT operations and communications, 3rd party service providers, security incident management and more besides. Compliance with Cyber Essentials is a must for all businesses especially small businesses (for suppliers to Government it is mandatory) but for the medium-sized and above business it may be time for them to contemplate implementing a more robust and comprehensive information security management system or framework as provided by the International Standard Organisation’s ISO27001:2013. Law firms that Advent IM have engaged with to provide
In January, we 
ebruary, we had a visit from 
Chris Cope 
Security for UK legal professionals 