In a previous post I discussed a number of characteristics that could help General Counsels (GCs) cull the list of LPO vendors. One consideration at the top of every GC’s list is security. The importance of information security and the related disciplines of confidentiality, integrity and availability of information cannot be overstated. CGs should require that LPO vendors choose an applicable standard, implement it rigorously, and subject their operations to periodic testing by an independent third party. Some uses of LPO will be less critical with regard to the information security (e.g. general contract management), but for corporations intending to use multiple LPO vendors or to outsource work requiring heightened security, (e.g. M&A doc review, litigation) a single standard will be easiest to evaluate and monitor over time.
The most common information security standard among LPO vendors is ISO 27001 (http://www.iso.org). Originally published in October 2005, it is a specification for an Information Security Management System that enhanced and harmonized British standard BS7799-2 with other standards. ISO 27002 is a code of practice for information security that outlines potential controls and control mechanisms which can be implemented subject to the guidance provided within ISO 27001. The standard outlines a model for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an information security management system, and includes guidance to protect not only information stored using electronic means, but also information that may transmitted or printed.
The ISO is a network of the national standards institutes of 162 countries, one member per country, with a Central Secretariat in Geneva, Switzerland, that coordinates the system. Members include the Bureau of Indian Standards (India) and American National Standards Institute (the U.S.) ISO itself does not carry out conformity assessments. LPO vendors may be certified compliant with ISO/IEC 27001 by certification organizations accredited by members like the Bureau of Indian Standards and American National Standards Institute.
Implementation and Testing
Maintaining a process-based information security standard is an organization-wide effort. All LPO employees should have some familiarity with information security standards and should have receive some training both at the time of hire and on a regular basis thereafter. In addition, LPO vendors should have their information security standard implementations tested. Assertions like, “We follow ISO 27001 guidelines” or “We are seeking ISO 27001 certification” provide little comfort when entrusting operations to a vendor half-way around the world. For multi-site vendors, it’s important that the entire company be certified. If only one part of an organization is certified, but data is transferred through, or manipulated by, a portion of a vendor company that is not certified, information may be at risk. Many facets of vendor relations require trust, but whenever possible, follow the motto of “trust but verify,” and validate vendor assertions with a third party. Certifications can help build trust more quickly because they show a rigor with regard to processes that are important to clients
Any LPO vendor selection or RFP process should include criteria and questions about the vendors’ security certifications and practices. In a future post, I’ll discuss how you can evaluate the security processes, and what to look for in a site visit.