ISO 27001 is the most secure standard in computer system security

RICHARD WEINER
Technology for Lawyers
Published: August 14, 2015

Maybe you’re not paranoid about computer security. Yet. But maybe you should be.

Even so, you may not be paranoid enough for the International Organization for Standards (ISO) version of the best practices in computer security: ISO/IEC 27001. But maybe you should be.

ISO/IEC 27001 was promulgated in 2013, with the help of the International Electrotechnical Commission (IEC).

The complete standard is about 25 pages long, and is available on the ISO website (www.iso.org) for about $130. At that cost, I would think that every law firm IT unit could afford to take a look.

It might be interesting to touch on what an ISO standard is not. The first is that ISO itself does not certify anyone to be ISO compliant. That’s left to third parties. But a company can conform to the standard without being specifically certified. ISO standards are strictly voluntary.

There are a series of ISO 27000 standards having to do with keeping information assets secure; the 27001 standard is “is the best-known standard in the family providing requirements for an information security management system (ISMS),” according to the ISO website, which also stated that conformity to the standard is increasing at more than 30 percent per year.

An ISMS is what a law firm has that houses its data, media, communications, and etc., and the 27001 standard is what a law firm should strive for, according to experts in the field.

The 27001 standard has to do with the complete range of necessary security functions for a computer system. These include standards for information security policies and organization; human resource security; asset management; access control; cryptography; physical and environmental security; operations and communications security; system acquisition, development, and maintenance; supplier relationships (note: the Target breach came through a third-party plumbing company’s website); information security incident management (also addressed in ethics rules, etc.); and legal and policy compliance.

There are also sections with large overviews of various topics, including information security in project management; restrictions on software installation; secure system engineering principles; information and communication technology supply chain; system security testing; and much more.

Again, well worth the money to take a look at.

[Back]

The Akron Legal News • 60 South Summit St. • Akron, Ohio 44308 • Phone: 330-376-0917 • Fax: 330-376-7001