Case study: Irwin Mitchell - Keeping it confidential

Irwin Mitchell achieved BS7799 certification, with business-focused policies and procedures, in 18 months.

By Peter Sloane, business development manager, Irwin Mitchell

Irwin Mitchell is the UK’s fourth-largest law firm, employing over 2,300 staff throughout the UK and Europe, and providing a full range of legal services to private individuals, businesses and other institutions.

The firm set itself the goal of achieving BS7799, the global standard for information security management, which covers all aspects of information kept by companies, including data on laptops, PCs and other IT systems - and hard-copy paper on which information is printed.

In total, BS7799 certification covers ten key areas, including business continuity planning, system access controls, and physical security. It also requires personnel to be trained and given guidance in reducing the risks of human error and misuse. BS7799 certification is a guarantee of security -recognised, and more importantly trusted, worldwide. By complying with the standard, businesses are not only securing their information, but also their futures.

The importance of information security

Today’s large enterprises are increasingly aware of the importance of keeping their data secure, and they typically take the issue very seriously. Irwin Mitchell’s own clients frequently enquire about the level of information security management deployed throughout the organisation.

As Peter Sloane, business improvement manager at Irwin Mitchell, says: “Many of the larger corporate enterprises, in particular, make holding the standard a condition of doing business with them. They take it almost as implicit that you are either working towards the standard or that you have it already, and consequently feel much more comfortable knowing that you have bought into the process.”

The firm is often required to produce evidence regarding the security and confidentiality of corporate data. Part of the BS7799 certification process requires that an organisation is subject to external audit every six months. At Irwin Mitchell, this procedure is carried out by SGS UK, whose Swiss-based parent is recognised as one of the world’s leading inspection, verification, testing and certification companies.

Certification can be revoked or renewed depending on the organisation’s ability to demonstrate continuous improvement. This robust process provides a high level of assurance to prospective and existing clients.

Achieving certification also encourages the organisation to focus on issues of business continuity and incident management. It aids the firm in the competitive tendering world, where clients now see BS7799 certification as an important factor when choosing a supplier.

In short, it adds significant value to the firm’s key target marketplaces. BS7799 also helps to encourage staff discipline, and a sense of unity and common purpose, through a structured set of policies and guidelines.

It is Sloane’s responsibility to monitor process improvement, information security management and business-continuity planning.

“Information security management is now, or at least should be, a major focus for every law firm across the UK,” he said. “I saw the potential benefits in implementing a global security standard such as BS7799 to reinforce our business standards and build greater trust in our organisation. This is very much a best-practice approach. By operating to it, we are confident we are achieving a very high standard of information security management within our organisation,” he added.

Choice of partner

When Irwin Mitchell began the certification process, it approached several companies to ascertain suitability for the role of niche consultancy partner. There were two main questions the company posed to each candidate:

Have you achieved certification?
If so, can you prove it?

IT security consultancy Sapphire presented itself as having experience in taking both itself, and other organisations, through the certification process, and achieving BS7799. It gained certification for itself nearly four years ago.

“We saw a lot of companies in the selection process who told us that they could help us achieve BS7799, but who had not actually achieved the standard themselves,” said Sloane. “We therefore felt they would be unlikely to be able to guide us expertly through the process, while pointing out all the potential pitfalls along the way. The other key aspect was that Sapphire had experienced and highly trained consultants,” he continued. “This is invariably crucial, as the added value in these types of projects often comes from the quality of the business relationship you have with the consultant.

“The Sapphire consultant we worked with was excellent in terms of being open to answering our questions and raising issues with us. In addition, he was capable of having an informed and rational debate and arriving at objective conclusions.”

Rolling out the project

Over an 18-month period, Irwin Mitchell and Sapphire worked together to compile a comprehensive BS7799 manual that was acceptable to both parties. The BS7799 standards document was tailored to Irwin Mitchell’s business needs, and applied specific policies and procedures to suit the law firm’s working practices.

Sapphire had two people working on the project throughout, with a six-strong IT team from Irwin Mitchell. As the role of project leader for the law firm, Sloane found the security consultants and staff at Sapphire extremely helpful. The consultant assigned to the project was always willing to provide materials to assist with the process, and often even supplied sections of Sapphire’s own manuals and sanitised reports as learning tools.

Sloane could also always question Sapphire’s actions. Equally, when Irwin Mitchell made changes to the standard, Sapphire would challenge the reasoning behind its partners’ actions. Both parties were exacting in their approach but also open to new ideas.

“Overall, I was extremely happy with the relationship I had with our consultant,” Sloane said. “He was always personable, understanding and open to debate. This often meant we spent afternoons arguing our corners, but I did see the reasoning behind this and as a result, I think the relationship between Irwin Mitchell and Sapphire represented a good skills transfer.”

He encountered few problems internally when implementing BS7799. “One of the key things I learnt was that it takes longer than you think. People were highly supportive of the process, and without their encouragement we wouldn’t have been so successful.”

Once the policies were written, and the procedures implemented, Irwin Mitchell began to prepare for its first BS7799 audit. “I particularly liked the help we received from Sapphire at this point,” comments Sloane. “We thought their auditing skills and test audits were excellent learning tools. The auditor made use of good assessment techniques, which allowed us to apply the knowledge we had learnt and prepare for the real thing.”

Looking to the future

It took Irwin Mitchell just 18 months to achieve certification. This accomplishment has had several key effects on the business.

The organisation subsequently experienced a significant increase in the number of tendering projects won and, in turn, received much positive publicity. Existing clients had the reassurance Irwin Mitchell’s information security management processes were robust, and new clients have been attracted to the company on the basis it complies with an international information security management standard recognised throughout the world.

The system has also provided a robust structure for the IT team and other staff to work within. There is much greater internal awareness of what constitutes a security incident, and employees are much more aware of the need to report them. The number of security issues has also fallen, because staff members have a clearer understanding of what best practice is in a number of different security scenarios.

There is greater awareness, for example, of the procedures that need to be put in place to protect the security of the premises. Equally, new projects carried out by the firm now have an integrated security element built into them.

Irwin Mitchell also made a successful transition to ISO 27001, the new international version of the standard, at the first review visit by SGS UK. Having seen the benefits of implementing BS7799 and ISO 27001, the firm is now considering implementing other IT-related standards.

The scope of BS7799 was originally limited to the IT department, but it is currently being extended across all operations’ teams. The intention is to carry out the bulk of this process during 2008.

This roll-out will inevitably be complex as, within Irwin Mitchell, the operations function consists of many different departments from facilities, to knowledge management, to a library unit, all of which have slightly different information requirements. However, the firm has already begun the planning process for this roll-out.

“When we began working to BS7799 I thought it was a drain on resources,” said Sloane. “Today, I would recommend the processes involved to any organisation that values information security management.”

Reflecting this advice, several other law firms in the UK are now looking at implementing the standard. As Sloane comments: “There are few areas of business with a greater need to secure data and keep information confidential than the legal sector. And law today are becoming increasingly aware of the importance that technology processes and IT standards, in particular, can play in enabling them to achieve this”.

Peter Sloane is business development manager at Irwin Mitchell.