It’s hard to believe a year has passed since we announced that after months of hard work Quiss became the first IT services provider in the UK to be ISO 27001:2013 certified. It is recognised as the leading standard for information security management, superseding the outdated ISO 27001:2005.
Achieving and maintaining the standard requires us to set objectives and monitor our own performance more closely. Over the year, we have successfully identified and addressed potential risks, long before they could become an issue, which is the obvious thinking behind the new standard and its implementation – if only every IT firm would adopt it, we might see a reduction in security issues.
It is important to stress that ISO 27001:2013 isn’t just about data security, but ensures we consider our business as a whole. We have to demonstrate financial stability and any commercial risk to our clients, whilst ensuring everyone in the business is aware of their responsibility to protect clients’ data.
As a provider of outsourced IT services, including hosted environments, with many law firm clients, a practice note recently issued by the Law Society has brought the importance of standards like ISO 27001:2013 into sharp relief.
It appears the Law Society, although recognising the advantages of outsourcing as law firms strive for greater efficiency and increased profitability, it considers there is an increased risk of loss of confidentiality. The practice note, issued late in April, does not constitute legal advice, but offers views on best practice and ways of cutting risk to solicitors and their clients.
The practice note points out that solicitors practices outsourcing work relating to clients, must take all necessary steps to ensure outsource service providers keep all info confidential, with appropriate confidentiality agreements in place.
We would argue that ISO 27001:2013 is the minimum standard law firms should look for when taking ‘all necessary steps’ to ensure the confidentiality of service delivered by outsourcing partners like Quiss – it’s a relatively easy box to tick in the assessment process.
And of course the Law Society explains that law firms should make their clients aware that the firm is outsourcing, setting the details out in a client care letter, which will potentially draw the client into making their own assessment of the outsourced service provider – again the ISO 27001:2013 certification will stand out like a beacon.
Given the growing reliance on Cloud solutions and the transmission of large volumes of sensitive data over the Internet, it is imperative that clients can have complete confidence in the ability of service providers like Quiss Technology to manage and store data securely.
One year on the standard is proving its worth in business won and contracts renewed. In a world of hollow promises designed to win contracts at any cost, an independently audited measure of a service provider’s stability and how it values its clients’ confidentiality is worth the hard work and ongoing commitment.