ISO 27000 - Starting from Scratch for a Smallish Law Firm

Greetings fellow Covers,

I'm beginning a new job at a law firm. Right now, we are small but we have big clients and I think it would add some value to start working towards IT security standards. But I have no idea where to start. For my last job, I walked into a ISO 13485, ISO 9001 certified organization.

Any help is appreciated.

Thanks and best,

Hello supadrai,

well, there's a lot of work to do my friend. Let's first grab a copy of (1) ISO/IEC 27001 which specifies the requirements for Information security management systems and (2) ISO/IEC 27003:2017 which is the guideline for implementing an information security management system in accordance with ISO/IEC 27001 requirements.

Apart from the above mentioned, i would personally suggest that you start by wrapping your head around the very basic idea of information security management:

1. Identify and evaluate risks to the security of information.
2. Identify and employ controls to reduce/mitigate each risk.
3. Monitor, evaluate and improve the effectiveness of the controls used to reduce the risks to your company's security of information.

Please let me know if this begins to answer your question, and i will be available for any additional questions you may have.
And before you even do that, decide what information you need to keep secure. Then, once you have that understanding, you can look at risks.
Yes absolutely, this is maybe the most important part for determining both risk level and controls to be implemented.

Top Bottom