Morton Fraser - ISO 27001 Implementation

Based in Edinburgh and Glasgow, Morton Fraser Lawyers is a thriving, independent, top 10 Scottish law firm. In 2018, they were awarded Business Insider’s Scottish SME of the year award, which recognises and celebrates Scotland’s best performing small and medium size businesses, as well as being voted one of the UK’s Top 100 Companies to Work For. Clarity is fundamental to their role, how they work and the service they provide. This clarity mentality not only gives assurance to clients in their work, but also confidence in their data security.

The Challenge 

As we become increasingly interconnected, with new threats appearing daily, the requirement for businesses to ensure that their data remains confidential has never been so in demand. In December 2017, Morton Fraser approached Resillion with the intention of devising a plan to review the existing security measures they had in place, amidst concerns of how the company would resist or mitigate the impact of a cyber-attack. 

To better understand which assets Morton Fraser needed to protect, what effective controls they had in place and what others they’d need to move forward with this plan, Resillion began with a business impact assessment. This assessment reviewed Morton Fraser’s information assets, how critical these were to the firm and the appropriate level of security control required. A gap analysis was also performed, comparing their existing security measures against the ISO 27001 requirements and a risk assessment to determine whether the controls met the requirements from the business impact assessment. From these results, we could present a roadmap for the implementation of an ISO 27001 Information Security Management System (ISMS) and eventual certification. Morton Fraser then commenced embedding the ISMS into the business, identifying security requirements and how best to address them.  

Next Steps 

In November 2018, Resillion were asked to provide expertise in the form of a virtual CISO, with the aim of  both developing and supporting an information security strategy which aligned to their business objectives, establish and embed an information security transformation programme, assist with creating an information security forum to drive business change and demonstrate corporate governance, and identify where new processes were required, monitoring and reporting on these as they transitioned into business as usual activities. 

Working closely with key members of staff at Morton Fraser meant that we were able to guide and aid in the implementation of a now flourishing security culture and robust security management practices throughout the firm, whilst simultaneously monitoring alignment to the requirements of ISO 27001 for planning the eventual certification process, including providing advice on choosing the right certification body.  

In September 2019, one particular area was identified as requiring additional support: internal audit – a key requirement of the ISO standard. However, this is often the case for organisations who are seeking certification, as having the necessary skills inhouse while maintaining a level of independence can be difficult to achieve. Resillion, once again, were able to assist by providing a qualified auditor to Morton Fraser who established and implemented an audit plan which addressed all the management clauses and controls in scope.  

The Outcome 

Morton Fraser successfully passed their stage 2 audit in January 2019 and were subsequently awarded certification by BSI. It had been a long journey to reach this point but, nevertheless, a worthwhile one. Morton Fraser are now equipped with the relevant knowledge to successfully recognise and mitigate the risk from cyber-attacks. Not only did they take steps to address these risks but went further in establishing an organisation-wide management framework, ensuring that information security is now an integral part of who they are and what they do.