Law firm strengthens cyber resilence and earns ISO 27001 certification 

Meeting rising client demands for cyber assurance

For professional services firms, cybersecurity is no longer just an internal IT concern. It’s become a core measure of trust between teams and the clients who rely on them. Law firms in particular are entrusted with highly sensitive client data, making their security posture critically important to protect their clients’ interests. As cyber incidents continue to rise across client-facing industries, many clients now view formal, third-party validation of cybersecurity practices as table stakes.

These concerns led a leading global law firm to strengthen its cyber assurance. The organization’s CISO, deputy CISO, and head of governance, risk and compliance, backed by the firm leadership team, engaged Grant Thornton to support its journey to provide independent validation of its cybersecurity program to clients. That meant aligning with widely recognized standards: achieving ISO 27001 certification while strengthening risk management practices aligned with the NIST Cybersecurity Framework.

“Early on, it became clear that while the firm had received prior security assessment support from other providers, however, they had struggled to turn those recommendations into actionable solutions across their teams,” said Tito Chatterjee, Cyber & Privacy Advisory Services Senior Manager. “We knew this would require closer collaboration with their key stakeholders to not only identify risks but also mitigate them in a way that met international standards and reinforced trust with their clients. The annual risk assessment report is ultimately shared with some of their biggest clients — large, industry‑leading organizations that require this level of assurance.”

Building an actionable path to cyber assurance

Chatterjee and his team understood that they needed to take a practical and collaborative approach to their work: advancing the firm’s information security maturity without disrupting day-to-day operations.

Re-evaluating risks

The team began with an information security assessment aligned to the NIST Cybersecurity Framework. Grant Thornton evaluated the firm’s current-state controls, identifying opportunities for improvement and rating the maturity of the program.

At the same time, the team performed external and internal network penetration testing, which provided insight into vulnerabilities and misconfigurations and helped inform remediation decisions.

Working closely with key stakeholders, the team helped define remediation priorities and develop the firm’s cyber risk register to track and manage key risks year over year.

Mapping current state to requirements

From there, Grant Thornton assessed how the firm's existing security practices mapped to ISO 27001 requirements, focusing on finding gaps that could affect audit readiness and translating those gaps into actionable remediation steps with step-by-step advisory and technical support along the entire journey.

Preparing for audit

Before the firm pursued external certification for ISO 27001, Grant Thornton’s Internal Audit team conducted an internal audit, which helped identify any nonconformities or opportunities for improvement and validating the appropriate corrective action plans from firm management, providing the firm a clear view of what they needed to address before certification.