Legal Help for Your ISO 27001 Audit

The ISO 27001 standard is a specification for managing an information security program in an organization. The International Organization for Standardization (ISO) developed and maintains this standard. Worldwide, ISO 27001 has become the most popular standard for managing information security programs, and many organizations have received a certification that their information security management system complies with the standard.

When companies obtain an ISO 27001 audit, they usually envision working with auditors to complete the project using operational, management, information security, and internal audit teams within the organization. What they may find surprising is that the ISO 27001 framework contains a number of legal topics, and the input of the legal team is vital as well. Some organizations may consult legal counsel about these topics, but I believe most organizations try to address these topics without legal help or use “off the shelf” documentation offered as samples from their auditors.

Writing documentation without the help of legal counsel creates risk for the organization. In the event of a security breach, for instance, government or plaintiff’s lawyers will ask for, and be entitled to examine, the “off the shelf” policies and procedures adopted by the company. If the policies and procedures were never implemented properly, these lawyers would point to the lack of adoption as evidence of knowing failure to implement security practices properly. If the policies and procedures are inconsistent with actual security practice, the inconsistency will make the company look lax in its security practices.

In either case, the disconnect between the company’s security and whatever documentation the company adopted solely for the sake of getting through the ISO audit process creates a risk of liability if a breach occurs. Companies must anticipate that breaches of some kind are inevitable. Therefore, legal risk from hastily-adopted legal documentation drafted during an ISO audit is also inevitable.

Given these risks, companies are well advised to obtain the assistance of legal counsel in drafting legal policies and procedures referenced in the ISO framework. Many of the topics covered relate to legal issues the company should tackle anyway. Accordingly, any legal work done in connection with the audit will benefit the organization beyond simply the audit process and help the organization manage overall legal risk.

This table includes examples of legal topics in ISO 27001 and example controls in ISO 27002, the types of legal documents relating to these topics that can serve as audit artifacts, and notes concerning their implementation. Note that if a section in ISO 27001 appears, the corresponding section in ISO 27002 likely contains helpful explanatory details

Stephen Wu is a shareholder with Silicon Valley Law Group. Mr. Wu advises clients on information technology matters in areas including establishing information governance policies and practices, agreement drafting and negotiation, information security, data breach response, computer fraud, computer investigations, privacy, and records management.  For more information on legal assistance for your ISO 27001 audit, please contact Stephen Wu by completing the web form here.