How It Works (Technical)
The ISMS framework. ISO 27001 requires organisations to operate an Information Security Management System — a documented, risk-driven management framework, not a checklist of controls. The ISMS encompasses: organisational context and scope definition, information security policies, risk assessment and treatment processes, objectives and monitoring, documented evidence of operations, and a management review process with continual improvement obligations. This process-orientation distinguishes ISO 27001 from compliance frameworks that focus on point-in-time control inventories.
ISO/IEC 27001:2022 changes from the 2013 version. The 2022 revision made two categories of significant change. First, structural: Annex A controls were reorganised from 14 domains and 114 controls to 4 themes and 93 controls. The four themes are: Organisational controls (37), People controls (8), Physical controls (14), and Technological controls (34). Second, substantive: 11 new controls were added that are directly relevant to cloud and AI-dependent organisations: - Threat intelligence (5.7) - Information security for use of cloud services (5.23) - ICT readiness for business continuity (5.30) - Physical security monitoring (7.4) - Configuration management (8.9) - Information deletion (8.10) - Data masking (8.11) - Data leakage prevention (8.12) - Monitoring activities (8.16) - Web filtering (8.23) - Secure coding (8.28)
The addition of cloud services (5.23) and data leakage prevention (8.12) is directly relevant to legal AI vendors, who typically operate as cloud-based SaaS platforms and handle confidential client data.
ISO 27001 versus SOC 2 Type II — the key distinctions. These two frameworks are frequently conflated but differ in important ways:
Scope and recognition: ISO 27001 is an internationally recognised certification. SOC 2 is an attestation report developed by the AICPA, dominant in North American markets, and less familiar to European procurement teams. Global law firms typically require both.
Process vs. control effectiveness: ISO 27001 certifies that an ISMS exists and operates. SOC 2 evaluates whether specific controls were effective over an audit period (typically six or twelve months). SOC 2 Type II is considered more demanding than SOC 2 Type I (which only checks that controls exist, not that they work).
Certification vs. attestation: ISO 27001 issues a certificate from an accredited certification body. SOC 2 produces an attestation report from a licensed CPA firm. A certificate is a binary pass/fail outcome; a SOC 2 report is a detailed narrative with observations and exceptions.
Scope specificity: Both certifications can be scoped narrowly. A vendor may hold ISO 27001 for a specific product line or data centre, not for its entire operation. Reviewing scope is essential.
AI-specific limitation. ISO 27001 covers the information security management system surrounding an AI product — access controls, encryption, incident response, vendor management. It does not address AI-specific risks: model hallucination rates, training data provenance, bias in AI outputs, or the behaviour of language models under adversarial prompting. A vendor with ISO 27001 certification has demonstrated sound information security practices; this says nothing about the accuracy, reliability, or fairness of its AI models.
How Legal AI Vendors Address It
Harvey AI holds SOC 2 Type II certification for its core platform. ISO 27001 certification status varies by deployment region and contract structure as of 2026 — enterprise agreements typically specify a broader certification scope than standard SaaS agreements. Harvey's enterprise procurement documentation specifies which data centres and processing environments are in scope for each certification. Limitation: law firms should not assume that a Harvey enterprise agreement automatically extends ISO 27001 coverage to all data processed; specific scope confirmation is required.
Lexis+ AI (LexisNexis) operates on LexisNexis's broader enterprise infrastructure, which holds ISO 27001 certification for its core research and analytics platforms. The specific scope of ISO 27001 coverage applicable to Lexis+ AI's AI processing components requires confirmation through enterprise agreement review. LexisNexis publishes a security overview document for enterprise clients. Limitation: the size and complexity of LexisNexis's infrastructure means that ISO 27001 scope documents can be extensive and technical — law firms should request a scope summary specific to the Lexis+ AI product.
LegalFly achieved ISO 27001:2022 certification in 2025, covering its core legal AI platform. LegalFly's certification scope includes its cloud infrastructure, data processing systems, and customer support operations. It publishes its certificate and scope summary publicly. Limitation: LegalFly is a smaller vendor than Harvey or LexisNexis, and annual surveillance audits are an obligation it must continue to meet — law firms should verify that the certificate is current and that there have been no material findings in surveillance audits.
Ironclad holds both SOC 2 Type II and ISO 27001 certifications for its contract lifecycle management platform. Ironclad's security documentation is among the most transparent in the legal technology market, with a public trust centre publishing current certificate status and recent audit reports. Limitation: Ironclad is a CLM platform, not a generative AI legal research tool — its ISO 27001 coverage addresses contract data management security, which is relevant to firms using it for contract workflows but does not address AI model behaviour.
How Lawyers Should Verify / Apply It
-
Request the certificate, not just the claim. An ISO 27001 certificate should specify: the certification body (verify it is accredited by UKAS, DAkkS, or an equivalent national accreditation body); the scope statement (which products, data centres, and processes are covered); and the valid-from and expiry dates. A certificate that is more than twelve months old without evidence of a surveillance audit should be treated as potentially lapsed.
-
Confirm that the scope covers your specific use case. Ask the vendor: is my firm's data processed in an environment within the ISO 27001 scope? If the vendor hosts data in a region not covered by the certification scope, the certification provides no assurance for that data.
-
Review the Statement of Applicability (SoA). The SoA is a required ISO 27001 document that lists every Annex A control and the vendor's decision to include or exclude it, with justification. Requesting the SoA reveals which controls the vendor has excluded and why — a useful signal of risk appetite.
-
Verify that ISO 27001 is current, not historical. ISO 27001:2013 certificates are no longer valid as of October 2025, when the three-year transition period to ISO 27001:2022 expired. Any vendor presenting a 2013-version certificate after that date holds an outdated certification.
-
Require both ISO 27001 and SOC 2 Type II for high-sensitivity engagements. For matters involving highly sensitive client data — M&A transactions, litigation, regulatory investigations — rely on neither framework alone. ISO 27001 confirms process rigor; SOC 2 Type II confirms control effectiveness. Together they provide a more complete picture than either alone.