Lexel – Resurrections and Second Comings

Lexcel and ISO27001 still enjoy a good relationship. Here, Advent IM Security Consultant, Steve Foley, has a look at the updated Lexcel…

A number of years ago a colleague published a blog addressing the ‘Rumoured’ death of Lexcel. The title to that piece was a little tongue in cheek as the content actually pointed to the continued increase in uptake of the accreditation within legal practices. Looking at present day and figures published by the Solicitor’s Regulation Authority and the Law Society suggest that of the 10,393 (May 2018) law firms registered in England and Wales 1,732, some 16 percent are accredited to Lexcel as a standard. As Information Security Consultancy is one of our core business deliverables, the blog continued to cover the correlation between that quality management standard and how it mapped across to a number of clauses within the globally recognised ISO/IEC 27001 – Information Security Management System.
Well here we are in July 2018 and the latest Lexcel Quality Management System publication has arrived to allow firms to consider and manage the impact of the following regulations and Act upon their business;
• The General Data Protection Regulation (Regulation (EU) 2016/679);
• The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017;
• The European Union Financial Sanctions (Amendment of Information Provisions) Regulations 2017; and
• The Criminal Finances Act 2017.
Although the standard launched last month, members of the law society applying for initial or re-accreditation will not be assessed against the new standard until November of this year to allow time for policies to be updated and to be embedded within organisational business as usual.
Certification to recognised standards is becoming increasingly relevant to service providers as organisations look to outsource more and more of their business. As part of due diligence and adherence to relevant regulation, the level of assurance that certification can provide, certainly becomes a business enabler in assisting the tender process.
Also, customers are now savvier in regard to Data Privacy Regulation following the introduction of GDPR this May, the increase of and reporting of data breaches throughout large organisation’s and the no doubt soon to follow headline grabbing data breach fines somewhere throughout the EU. This will no doubt have an impact on which organisations the more astute choose to do business with.
On the subject of GDPR or more appropriately the UK implementation, the Data Protection Act 2018, the application of a management system will help address a number of articles contained within and will demonstrate a strong attitude to Data Privacy, Information Security and the continual improvement of such areas that in turn would help organisations be compliant against such legislation and reduce the threat of an incredibly hefty monetary charge from the ICO.
Whilst they do not marry up entirely, a large number of the requirements of Lexcel do map to ISO/IEC 27001, this relationship between the two standards will be strengthened later this year with the introduction of ISO/IEC 270552 – Enhancement to ISO/IEC 27001 for privacy management.
The overall take away is to choose a suitable standard to certify against as the benefits must be considered to outweigh the risk of having nothing in place. The benefit of demonstrably setting your organisation apart from other legal practices within the country, demonstrating that the sensitive nature of the data you hold is recognised and you treat it safely and securely and being certified to a recognised standard will allow you to tender for numerous contracts where certification is a pre-requisite.

Lexcel and ISO 27001 – complementary accreditations?

After reading a discussion on Linkedin in the Lexcel group, entitled, “The Death of Lexcel” and asking the legal brains on Deferolaw.com what they thought about this, I thought it might be interesting to have a look at Lexcel in the context of ISO 27001.

Rumours of the Death of Lexcel have been somewhat exaggerated.

The reason for this is that we have noticed an increased interest and uptake in this accreditation in the legal professions and so the discussion topic intrigued me as I wondered if there was any correlation. Whilst they are not competing accreditations, I can see some areas where there is a definite relationship.

Incidentally, whilst I thought it was a great attention grabbing topic headline, the Death of Lexcel would appear to be somewhat exaggerated…

ISO 27001 potentially maps across some areas and a practice with Lexcel may have the ‘nucleus’ to build on for this accreditation.

The Lexcel standard is very practice and client-focussed and has lots of mandated parts and talks about Risk Management – but this is related more to clients and elements such as indemnity insurance rather than the risk-based ISO 27001 standard – which has a focus on security of information assets within a business. Still it may not be such a huge leap. (See below)

Why legal practices are considering ISO 27001 seems to be that they see it giving a competitive advantage when competing for tenders. This is especially when competing HMG-related ones, such as NHS, as they are now being asked question on how they provide information security within their practice. Indeed, the Panel of Practices looking after the NHS Litigation Authority consist of 10 firms but only one has ISO 27001, but that landscape is changing.

By ‘having the badge’ it will save time and money when having to individually specify how a practice handles security to meet the client’s requirements, when they can just say ‘see the badge’!

Understandably there is a growing unease about the increasing enforcement action being taken by the ICO with respect to Data Protection and privacy – fines and penalties

An ounce of prevention worth a pound of cure

up to a max. £500k plus possible custodial sentences are not good publicity for any organisation. For a legal practice, the nature of the data they hold is so sensitive any lapse that was mandatorily disclosed, would be disastrous and a headline writer’s dream.

Lexcel and ISO27001

Lexcel – Overview (v4 – v5 released Oct 11, compliance from July 2012)

All Lexcel Elements below are MANDATORY

√ Law Society’s International Practice Management Standard

√ Objectives of Standard:

  • Enhance service given by practice to its clients
  • Improvement management of practice
  • Improvement of morale and motivation of staff

√ Emphasis on continuous improvement – just as ISO27001 has with its PDCA process

√ Standard consists mostly of mandatory requirements – policies, processes, procedures and plans – each policy and plan has an ‘owner’ – good start for many of the policies below are required for ISO27001

√ Documented review at least annually – Audits and reviews are part of the ISO27001 ISMS

√ A practice being any organisation subject to the standard – including partnerships, LLPs, sole practices, incorporated law firms and legal departments

√ The Lexcel Office provides guidance on application of the standard

√ Lexcel has elements of ISO9000, IiP and is a readily-translated quality standard for the legal profession

√ Risk reduction tool in terms of Indemnity Insurance claims – ISO27001 can reduce overall risks even further

Lexcel – Structures & Policies (Mandated)

√ Risk Management Policy – strategic, operational and regulatory risks – required and mandated in ISO27001

√ Quality Policy

√ Anti-money Laundering Policy to comply with legislation – this would be part of ISO27001 Section 15 on Compliance

  • Includes need for a MLRO
  • Process for disclosures
  • Identification checking
  • Personnel training
  • Records maintenance

√ H&S Policy

√ Community & Social Responsibility

√ NEW V5 – Outsourcing Policy & Social Media Policy – policies that would also be required in ISO27001, with Outsourcing being part of a 3rd Party Management Policy in ISO27001 terms

Lexcel – Strategy, Provision of Services & Marketing

√ Documented marketing and business plan

√ Documentation of service offering and a required 6 monthly review (audit) – internal audit is very important within ISO27001

√ BCP – Section 14 of ISO27001 on Business Continuity Management (possible requirement also for BS25999 that BJ are also considering)

Lexcel – Information Management & Facilities

√ Information Management:

  • ICT Plan
  • Data Protection Policy – including registration with ICO and training of staff – Section 15 Compliance of ISO27001
  • Information Management Policy – information assets with description of risks to these assets (practice and client), likelihood and impact – mandated Clause 4 in ISO27001, though Lexcel has no guidance from what I can see on Risk Assessment Methodology (ISO27005)
  • Procedures for the protection and security of assets, including training of personnel – ISO Section 8 on HR, security training and awareness
  • Email Policy – scope of permitted and prohibited use, monitoring, management, security, storage and destruction procedures – this would be part of an AUP in ISO27001 and be covered in various sections of the standard
  • Web Site Policy (if they have one) – process for document approval and publishing, permitted and prohibited usage, management and security of contents – Section 10 (amongst others) of ISO on need for change management
  • Internet Access Policy – permitted and prohibited use, monitoring procedures – as for Email above

√ Facilities: – Much of this is covered off in Section 9 of ISO27001

  • Security and Safety of equipment
  • Process for Visitors (Clients) and communication arrangements
  • Procedures for handling of financial transactions
  • Processes for sharing and updating legal and professional information
  • Office Manual or Intranet – reviewed and updated at lest annually

Lexcel – People Management – all classic Section 8 of the ISO

√ Recruitment plan and procedures (references, vetting etc)

√ Induction Training

√ Training and Development Policy

Lexcel – Supervision and Operational Risk Management

√ Written description of management structure with R&R – ISO Section 6 Organisation

√ Active supervision of all staff – monitoring, Section 10

√ Process to check all legal work files for ‘inactivity’ – auditing

√ Regular independent file reviews – auditing again

√ Designation of one overall Risk Manager – similar to the position within the company of a director level individual with responsibility for Information Security within the business as in the ISO

√ Annual analysis of risk assessment data – annual review of risk register and possible re-assessment of risk as per ISO

Lexcel – Client Care – ISO Dealing with Customers Section 6

√ Client Care Policy

√ Record of Standing Terms of Business with Clients

√ Written Complaints Handling Procedure

√ Monitor Client Satisfaction

Also Sections on Financial Management & File and Case Management

Other referenced documents: Solicitor’s Code of Conduct (Rule 2) and by implication the Solicitors Regulation Authority (SRA) Chapter 7 Management of Business