Based in Edinburgh and Glasgow, Morton Fraser is one of Scotland’s largest independent law firms. They represent a wide breadth of clients covering the public sector, businesses, individuals and families. In 2018, they were awarded Business Insider’s Scottish SME of the year award, which recognises and celebrates Scotland’s best performing small and medium size businesses, and have been voted one of the UK’s Top 100 Companies to Work For. Clarity is fundamental to everything they do. This applies to not only their work, but also their security posture.
In December 2017, Morton Fraser approached Commissum to review the existing security measures they had in place, and to carry out a gap analysis against the ISO 27001 standard. This was partly in response to the increasing number of client queries and requests they were seeing, but mainly because the firm was committed to improving the security of the business and better mitigating the risk and impact of a cyber-attack.
To better understand what Morton Fraser needed to protect, what effective controls they had in place, and what others they’d need to move forward with this plan, Commissum began with a Business Impact Assessment. This assessment reviewed Morton Fraser’s information assets, how critical these were to the firm and the appropriate level of security control required. A gap analysis was also performed, comparing their existing security measures against the ISO 27001 requirements and a risk assessment to determine whether the controls met the requirements from the Business Impact Assessment. From these results, we presented a roadmap for the implementation of an ISO 27001 Information Security Management System (ISMS) and eventual certification. Morton Fraser then commenced embedding the ISMS into the business, identifying security requirements and how best to address them.
In November 2018, Commissum provided further expertise in the form of a virtual Chief Information Security Officer (CISO) service. The VCISO developed and supported an information security strategy which:
- Aligned to business objectives
- Established and embedded an information security transformation programme
- Assisted with creating an information security forum to drive business change and demonstrate corporate governance
- Identified where new processes were required, including monitoring and reporting, as they transitioned into business as usual activities.
Working closely with key members of staff at Morton Fraser meant that we were able to guide and aid in the implementation of a now flourishing security culture and robust security management practices throughout the firm, whilst simultaneously monitoring alignment to the requirements of ISO 27001 for planning the eventual certification process, including providing advice on choosing the right certification body.
In September 2019, one particular area was identified as requiring additional support: internal audit – a key requirement of the ISO standard. However, this is often the case for organisations who are seeking certification, as having the necessary skills in-house while maintaining a level of independence can be difficult to achieve. Commissum, once again, assisted by providing a qualified auditor to Morton Fraser and establishing and implementing a risk-based audit plan which addressed all the management clauses and controls in scope.
Morton Fraser successfully achieved ISO 27001 certification in January 2020, and are now equipped with the relevant knowledge to successfully recognise and mitigate the risk from cyber attacks. Not only did they take steps to address these risks but went further in establishing an organisation-wide management framework, ensuring that information security is now an integral part of who they are and what they do.
Rob Horne, Commissum’s Advisory and Audit practice lead, said, “Morton Fraser’s journey has been an exceptional one. They have embraced information security as a behaviour rather than a compliance activity which has meant that adoption of ISO 27001 has been one of the best implementations I’ve seen.”