You would be forgiven for expecting ISO 27001, the Information Security Standard, to only be relevant to IT businesses but the Standard is applicable to any business that holds personal data. It’s no surprise, then, that we’re seeing an influx of interest from professional services, such as Hallmark Hulme.
As Worcester’s oldest law firm, Hallmark Hulme has long been trusted with the confidential information of Worcester’s great and good, but for much of this time information security was a matter of locking papers away and ensuring employees were tight lipped. These days, however, the vast majority of information is held digitally although some paper records are still kept.
In October 2017, the firm started to consider the GDPR implications for the business. It already held the Law Society kitemark for running a legal firm, Lexcel, and Cyber Essentials, the cyber security certification, but as Julian Powell, Business Director, explains, ‘We didn’t want to stop there. We wanted to strengthen our data protection processes and ISO 27001 was the perfect choice as it would reassure clients how seriously we take information management – as holders of significant client data and monies we have to demonstrate we do everything possible to protect them.’
Naturally, the firm was concerned about embarking on ISO certification. Julian comments, ‘Not having any ISO experience previously we were concerned about the whole process – how to progress, who with, time to achieve and costs involved.’ Having secured quotations from ISO certification companies, Hallmark Hulme chose to work with ISO Quality Services because ‘it provides a first class service at a sensible price.’
The certification process took place over a period of 3-4 weeks during which time Hallmark Hulme found that the Standard gave them ‘the structures to manage and re-examine some of our processes.’ The firm also took great pains to ensure that each member of the team understood their role in protecting information. All staff receive a briefing on information management and cyber security as part of their induction and this is reinforced with annual training updates. In addition, any incidents or examples of issues sourced from outside the company are shared with staff on an ad hoc basis as Julian recognises that there is ‘no substitute for practical, working examples.’
As well as speaking to the firm’s Assessor, Julian also found the online information in the Client Area useful and praises the entire team, commenting, ‘Any queries I asked of ISO have been dealt with professionally and efficiently. The ongoing support is excellent.’
To anyone considering ISO certification, Julian says, ‘Just do it! It makes you step outside your day to day routine and look at the business from a different perspective.’