Free preview: Information Security Policy

Organizational Context

The firm holds information whose compromise carries consequences beyond ordinary commercial loss: attorney-client communications protected by legal professional privilege, conflict-sensitive details of opposing parties and transactions, draft pleadings and negotiation strategies, and client funds held in trust accounts. A single uncontrolled disclosure can waive privilege, trigger regulatory discipline, expose the firm to malpractice claims, and permanently destroy client trust.

The firm's operating environment shapes its security risks. The document management system is the central repository of work product and must be both tightly access-controlled and highly available. Conflicts of interest require enforceable information barriers between matter teams, not informal understandings. Court and statutory deadlines make system availability a professional obligation, because a missed filing caused by an outage can prejudice a client's case. Trust account operations are actively targeted by wire-fraud and payment-diversion schemes that impersonate clients, counsel, and title agents. Hybrid working and the continued use of physical files mean confidential material moves between offices, homes, courthouses, and client sites and must be protected in every location.

Policy Statement and Leadership Commitment

The [Managing Partner] and the [Executive Committee] commit the firm to operating an ISMS that satisfies the requirements of ISO/IEC 27001:2022, applicable law, rules of professional conduct, and contractual commitments to clients, and to improving that ISMS continually. Leadership will allocate the budget, personnel, and authority needed to implement this policy and will not permit fee pressure or deadline pressure to be used as a justification for bypassing security controls.

Consistent with control A.5.4, every partner and manager is responsible for requiring the personnel they supervise to apply information security in accordance with this policy and its topic-specific policies, for including security compliance in performance expectations, and for escalating non-compliance rather than tolerating it. Supervisory responsibility for security cannot be delegated to IT.

Information Security Principles

All security decisions, procedures, and day-to-day judgments at the firm must be consistent with the following principles.

• Privilege comes first. Material subject to legal professional privilege or work-product protection is treated as the firm's highest classification by default, and any control decision that could affect privilege must involve the [General Counsel / Risk Partner].
• Need to know is enforced technically. Access to matter files is granted on a per-matter basis, and conflicts of interest walls are implemented as enforced access restrictions in the document management system and practice management system, as detailed in the Client Confidentiality and Information Barriers Policy.
• Availability is a professional duty. Systems supporting court filings, limitation periods, and closing deadlines must meet defined recovery objectives, because deadline failure harms clients directly.
• Verify before money moves. No payment or trust account disbursement instruction received electronically is acted on without independent verification, reflecting the firm's exposure to wire-fraud schemes.
• Firm systems by default. Client work is created, stored, and transmitted only in firm-approved systems; personal email, personal cloud storage, and unapproved tools are not used for client material, as required by the Acceptable Use Policy.
• Security follows the information, not the building. The same protections apply at home, in court, and in transit as in the office, as detailed in the Remote Working and Mobile Device Policy and the Physical and Environmental Security Policy.

Information Security Objectives

The firm sets the following measurable objectives. The [Information Security Officer] must measure and report performance against each objective to the [Executive Committee] quarterly, and the objectives must be reviewed for continued suitability at the annual management review.