Today, cybersecurity is front and center in the legal industry, and it should be. Data breaches can cause crushing financial losses, while damage to an organization’s reputation can linger for years. Lawyers no longer have the luxury of thinking of cybersecurity as a field too technical, or not sufficiently legal, to be within their purview: The New York Rules of Professional Conduct (Rule 1.1), and the equivalent in most states impose a duty of technological competence on practitioners. This article seeks to explore the gold standard in information security, ISO/IEC 27001:2013 (Second edition 2013-10-01) (hereinafter ISO 27001), and to provide attorneys and legal professionals with a foundational understanding of ISO 27001.

Some in the legal profession may be glancingly familiar with the ISO 27001 standard: After all, Amazon Web Services (AWS), Azure, other cloud service providers, or legal process outsourcing organizations often tout their ISO 27001 certifications. But does the average lawyer really know what it means? In my experience, the answer has been no. So, let’s start with a simplified definition of ISO 27001: It’s a standard for protecting and securing an organization’s information assets. Before we take a deeper dive, let’s discuss the standard’s origins.

ISO (International Organization for Standardization)