Losing data is a business or government’s worst nightmare. From stolen laptops to files that go missing in the post, recent high-profile cases have made us all well aware of the damaging repercussions this can have. For a law firm, information is critical for everything it does – knowledge, advice and trust are what the firm provides to its clients.

If a law firm sells itself as a trusted adviser to commercial businesses and government organisations, it needs to be able to demonstrate that information security is a top priority. The ISO27001 accreditation, which has replaced the older BS7799, is the international standard for information security management. It is a tangible way of demonstrating to its staff and clients that a law firm takes information security very seriously.

It is clear that this issue is paramount for the clients of law firms. Many larger businesses now have the ISO27001 certification and this will increasingly be stated as a requirement for all professional service providers. This will apply particularly to those wishing to operate in the public sector and in financial services.

More and more business tenders ask for ISO27001, or parts of it, as a ‘must have’, as opposed to a ‘would be good to have’, for law firms seeking a slice of their business.

The Law Society’s Practice Note on Information Security also goes down a similar route, identifying the need for firms to put proper, effective policies in place for information security and business continuity. Bond Pearce took the approach that the easiest way to address all of these challenges was to identify the most appropriate standard to achieve.

Given a background of rising client pressure for information security, the Law Society’s practice note, and increased awareness of the pitfalls of losing information, why isn’t every law firm in the country signed up to this accreditation? Taking a rigorous approach to information security involves time and effort – and the immediate reward is simply the continuation of business as usual. In the long term, though, the reputation of a firm that takes its information security as seriously as other aspects of its management will grow.

Once it is recognised that information is a valuable asset to any firm, the loss or compromise of which can seriously affect reputation, protecting it will be seen as a management task and not simply a technical IT issue. Keeping to recognised good practice, a written information security policy, and periodic risk assessments should be the basis for detailed security countermeasures and procedures.

Solicitors have always taken steps to protect the confidentiality, integrity and availability of the information they hold. Most are aware of the time-honoured threats posed by dishonest or careless individuals, and of additional security challenges presented by new technology, particularly the internet.

Most law firms now have a written information security policy as well as a designated individual responsible for IT security. Those firms that do not may be taking risks with their most valuable assets.

The growing complexity of information management within law firms, accompanied by continual IT developments, means that a systematic approach to information security is essential.

The need to secure global electronic communications and new domestic IT-supported business processes will mean that information security will be important for firms of all types and sizes. Those processes will include electronic conveyancing, electronic court filing and electronic links between the Legal Services Commission and its suppliers.

With such a huge reliance on internet connectivity, email and document processing, as well as laptops, smart phones and BlackBerry devices, the legal sector must prioritise information security, or face the possibility of one day making a damaging and expensive mistake.

David Coates is IT director at Bond Pearce. Bond Pearce is currently the only law firm in the country to have achieved full ISO27001 certification across its entire business