ISO 27001 in an information security standard established by the International Organization for Standardization. It provides specifications on how management may implement information security. A system must be implemented to enforce permanent security standards.
In order to achieve ISO 27001 certification an organization must establish the following:
1. An overall information security policy.
2 A risk assessment process.
3. The ability of personnel responsible for information security.
4. An internal audit program
5. Documentation of actions taken to correct failures to comply with the policy.
6. Review of the system by top management.
ISO 27001 certification address the regulations and standards of HIPAA; the Sarbanes-Oxley Act; the American Institute of CPAs Service Organization Control SOC 2 client data standards; and the Federal Information Security Management Act.
Some clients request law firms that have this information security standard. Firms like White & Case LLP; Paul Weiss LLP; and Cravath, Swain, & Moore LLP have ISO 27001 certification.
A firm may begin to define the scope of their information security program with a review of their document management system. Best practices are detailed in ISO 27002, which covers cryptography; human resources; access control; communications; incident response; and legal compliance. Examples of specific measures include:
1. Prohibiting photos or videos of restricted areas without special permission.
2. User accounts must be locked after a certain number of unsuccessful login attempts.
3. Computers must be set to require re-logging in with a password after no more than 10 minutes of inactivity.
4. Write permission for USB drives and DVDs must be disabled unless there is specific authorization.