LawyerAILawyerAIIndependent Reviews
  • Search
  • Categories
  • Tag
  • Collection
  • Blog
  • Compare
  • Glossary
  • Solutions
  • Pricing
  • Submit
LawyerAILawyerAI
  1. Home
  2. ›
  3. Glossary
  4. ›
  5. ISO 27001 (Information Security Standard)

ISO 27001 (Information Security Standard)

ISO/IEC 27001 is an internationally recognised standard requiring organisations to establish and maintain a certified Information Security Management System (ISMS).

Last reviewed: 2026/05/22

Definition

Why It Matters for Lawyers

How AI Tools Handle It

Frequently Asked Questions

What is the difference between ISO 27001 certification and ISO 27001 compliance?
Certification means an accredited third-party body has audited the organisation and issued a certificate. Compliance is a self-assessed claim without third-party verification. A vendor claiming "ISO 27001 compliant" has not necessarily been certified. For procurement purposes, require certification with a certificate from an accredited body — not a self-assessment claim.
Does ISO 27001 cover how an AI model uses my client data during inference?
Not directly. ISO 27001 covers the information security management system around the AI product — access controls, encryption at rest and in transit, incident response, and vendor management. It does not address whether the AI model uses client data to update its training, what happens to prompts during inference, or how outputs are logged. These questions require review of the vendor's data processing agreement and zero-data-retention policy separately.
How often does an ISO 27001 certificate need to be renewed?
ISO 27001 certificates are valid for three years, with mandatory annual surveillance audits in years one and two. At year three, a full recertification audit is required. If a surveillance audit reveals significant nonconformities that are not resolved, the certificate can be suspended or withdrawn. Law firms should verify that both the certificate and the most recent surveillance audit are current before relying on the certification.

Related Concepts

Security

SOC 2 Type II Compliance

An independent CPA audit confirming a vendor's security controls operated effectively over 6–12 months against AICPA Trust Service Criteria.

Security

GDPR (General Data Protection Regulation)

EU Regulation 2016/679 governing personal data collection, processing, and transfer for EU residents — directly applicable to law firms using AI tools on EU client matters.

Security

Zero Data Retention (ZDR)

An AI vendor commitment that customer inputs and outputs are not stored beyond the immediate processing session — the strongest available privacy assurance for sensitive legal queries.

Related Tools

  • Harvey AI

    The most expensive legal AI in the market — Am Law 100 firms only.

  • Lexis+ AI

    Conversational legal research with real-time Shepard's citation validation.

  • Legalfly

    European-compliant AI legal platform with built-in GDPR safeguards for contract review and research.

  • Ironclad

    Full-stack CLM with native AI for contract drafting, approval, and analytics.

Related Reading

  • Legal AI Security: What Every Law Firm Must Verify Before Adoption

Last reviewed: 2026/05/22. Definitions are written by the LawyerAI Editorial team. We do not accept affiliate commissions; Featured placement is clearly labeled and does not influence editorial content.

← All glossary terms
LawyerAILawyerAI

Independent Reviews

The independent directory of AI tools for lawyers — reviewed by methodology, not by ad budget.

X (Twitter)
Tools
  • Search
  • Categories
  • Tag
  • Collection
Resources
  • Blog
  • Compare
  • Glossary
  • Solutions
  • Pricing
  • Submit
  • Suggest a Tool
  • Newsletter
Company
  • About Us
  • Studio
Legal
  • Privacy Policy
  • Terms of Service
  • Cookie Policy
  • Refund Policy
  • Editorial Independence
  • Sitemap
Editorially independent. Methodology open and versioned.
© 2026LawyerAI Editorial

ISO/IEC 27001:2022 is the current version of the international standard for Information Security Management Systems (ISMS), developed jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). It requires organisations to establish, implement, maintain, and continually improve a systematic framework for managing information security risks. Certification is granted by accredited third-party certification bodies following a formal audit and is typically valid for three years, with annual surveillance audits.

ISO 27001 does not prescribe specific technical controls. Instead, it requires organisations to identify their information assets, assess risks to those assets, select controls from Annex A of the standard appropriate to their risk profile, implement them, and demonstrate through documented evidence that the ISMS operates effectively. The 2022 revision replaced the 2013 version and introduced significant structural and substantive changes relevant to cloud-dependent organisations — including most legal AI vendors.

For law firms evaluating legal AI vendors, ISO 27001 certification is one of the two primary security assurance frameworks they should require, alongside SOC 2 Type II. Understanding what ISO 27001 does and does not cover is essential for making that requirement meaningful.

Client data obligations. Law firms hold some of the most sensitive personal and commercial data in any industry: litigation strategy documents, M&A transaction details, personal injury records, immigration files. Their professional responsibility obligations — including Model Rule 1.6 (confidentiality) and its state equivalents — require taking reasonable precautions to prevent unauthorised disclosure. Deploying a legal AI tool means routing client data through third-party infrastructure. ISO 27001 certification of that infrastructure is a threshold indicator that reasonable precautions are in place.

Big Law procurement requirements. As of 2026, enterprise legal technology procurement at large firms routinely requires ISO 27001 certification. The Consilio 2025 Legal Technology Security Report found that 78% of AmLaw 100 firms require ISO 27001 certification or equivalent as a condition of vendor approval for tools handling client data. Solo practitioners and smaller firms are increasingly subject to client-imposed requirements that track this standard.

GDPR and ISO 27001 alignment. ISO 27001 does not guarantee GDPR compliance, but its risk-based ISMS framework aligns with GDPR Article 32, which requires appropriate technical and organisational measures to ensure security appropriate to the risk. A vendor with ISO 27001 certification can point to its ISMS as evidence of compliance with Article 32, though GDPR compliance requires additional measures beyond information security management (including data subject rights fulfillment, lawful processing bases, etc.).

Bar and regulatory guidance. The New York State Bar Association Committee on Professional Ethics Opinion 1019 (2014), extended by subsequent guidance, and the ABA Formal Opinion 477R (2017) both emphasise that lawyers must make reasonable efforts to prevent unauthorised access to client information when using cloud-based tools. ISO 27001 certification of a cloud vendor is cited in bar guidance as relevant evidence of reasonable precaution.

Cost of a breach. The IBM Cost of a Data Breach Report 2025 found that the legal and professional services sector had an average breach cost of $5.3 million, above the cross-industry average. For law firms, the cost includes not only financial exposure but reputational damage and professional liability. Vendor security certification reduces but does not eliminate this exposure.

How It Works (Technical)

The ISMS framework. ISO 27001 requires organisations to operate an Information Security Management System — a documented, risk-driven management framework, not a checklist of controls. The ISMS encompasses: organisational context and scope definition, information security policies, risk assessment and treatment processes, objectives and monitoring, documented evidence of operations, and a management review process with continual improvement obligations. This process-orientation distinguishes ISO 27001 from compliance frameworks that focus on point-in-time control inventories.

ISO/IEC 27001:2022 changes from the 2013 version. The 2022 revision made two categories of significant change. First, structural: Annex A controls were reorganised from 14 domains and 114 controls to 4 themes and 93 controls. The four themes are: Organisational controls (37), People controls (8), Physical controls (14), and Technological controls (34). Second, substantive: 11 new controls were added that are directly relevant to cloud and AI-dependent organisations: - Threat intelligence (5.7) - Information security for use of cloud services (5.23) - ICT readiness for business continuity (5.30) - Physical security monitoring (7.4) - Configuration management (8.9) - Information deletion (8.10) - Data masking (8.11) - Data leakage prevention (8.12) - Monitoring activities (8.16) - Web filtering (8.23) - Secure coding (8.28)

The addition of cloud services (5.23) and data leakage prevention (8.12) is directly relevant to legal AI vendors, who typically operate as cloud-based SaaS platforms and handle confidential client data.

ISO 27001 versus SOC 2 Type II — the key distinctions. These two frameworks are frequently conflated but differ in important ways:

Scope and recognition: ISO 27001 is an internationally recognised certification. SOC 2 is an attestation report developed by the AICPA, dominant in North American markets, and less familiar to European procurement teams. Global law firms typically require both.

Process vs. control effectiveness: ISO 27001 certifies that an ISMS exists and operates. SOC 2 evaluates whether specific controls were effective over an audit period (typically six or twelve months). SOC 2 Type II is considered more demanding than SOC 2 Type I (which only checks that controls exist, not that they work).

Certification vs. attestation: ISO 27001 issues a certificate from an accredited certification body. SOC 2 produces an attestation report from a licensed CPA firm. A certificate is a binary pass/fail outcome; a SOC 2 report is a detailed narrative with observations and exceptions.

Scope specificity: Both certifications can be scoped narrowly. A vendor may hold ISO 27001 for a specific product line or data centre, not for its entire operation. Reviewing scope is essential.

AI-specific limitation. ISO 27001 covers the information security management system surrounding an AI product — access controls, encryption, incident response, vendor management. It does not address AI-specific risks: model hallucination rates, training data provenance, bias in AI outputs, or the behaviour of language models under adversarial prompting. A vendor with ISO 27001 certification has demonstrated sound information security practices; this says nothing about the accuracy, reliability, or fairness of its AI models.

How Legal AI Vendors Address It

Harvey AI holds SOC 2 Type II certification for its core platform. ISO 27001 certification status varies by deployment region and contract structure as of 2026 — enterprise agreements typically specify a broader certification scope than standard SaaS agreements. Harvey's enterprise procurement documentation specifies which data centres and processing environments are in scope for each certification. Limitation: law firms should not assume that a Harvey enterprise agreement automatically extends ISO 27001 coverage to all data processed; specific scope confirmation is required.

Lexis+ AI (LexisNexis) operates on LexisNexis's broader enterprise infrastructure, which holds ISO 27001 certification for its core research and analytics platforms. The specific scope of ISO 27001 coverage applicable to Lexis+ AI's AI processing components requires confirmation through enterprise agreement review. LexisNexis publishes a security overview document for enterprise clients. Limitation: the size and complexity of LexisNexis's infrastructure means that ISO 27001 scope documents can be extensive and technical — law firms should request a scope summary specific to the Lexis+ AI product.

LegalFly achieved ISO 27001:2022 certification in 2025, covering its core legal AI platform. LegalFly's certification scope includes its cloud infrastructure, data processing systems, and customer support operations. It publishes its certificate and scope summary publicly. Limitation: LegalFly is a smaller vendor than Harvey or LexisNexis, and annual surveillance audits are an obligation it must continue to meet — law firms should verify that the certificate is current and that there have been no material findings in surveillance audits.

Ironclad holds both SOC 2 Type II and ISO 27001 certifications for its contract lifecycle management platform. Ironclad's security documentation is among the most transparent in the legal technology market, with a public trust centre publishing current certificate status and recent audit reports. Limitation: Ironclad is a CLM platform, not a generative AI legal research tool — its ISO 27001 coverage addresses contract data management security, which is relevant to firms using it for contract workflows but does not address AI model behaviour.

How Lawyers Should Verify / Apply It

  1. Request the certificate, not just the claim. An ISO 27001 certificate should specify: the certification body (verify it is accredited by UKAS, DAkkS, or an equivalent national accreditation body); the scope statement (which products, data centres, and processes are covered); and the valid-from and expiry dates. A certificate that is more than twelve months old without evidence of a surveillance audit should be treated as potentially lapsed.

  2. Confirm that the scope covers your specific use case. Ask the vendor: is my firm's data processed in an environment within the ISO 27001 scope? If the vendor hosts data in a region not covered by the certification scope, the certification provides no assurance for that data.

  3. Review the Statement of Applicability (SoA). The SoA is a required ISO 27001 document that lists every Annex A control and the vendor's decision to include or exclude it, with justification. Requesting the SoA reveals which controls the vendor has excluded and why — a useful signal of risk appetite.

  4. Verify that ISO 27001 is current, not historical. ISO 27001:2013 certificates are no longer valid as of October 2025, when the three-year transition period to ISO 27001:2022 expired. Any vendor presenting a 2013-version certificate after that date holds an outdated certification.

  5. Require both ISO 27001 and SOC 2 Type II for high-sensitivity engagements. For matters involving highly sensitive client data — M&A transactions, litigation, regulatory investigations — rely on neither framework alone. ISO 27001 confirms process rigor; SOC 2 Type II confirms control effectiveness. Together they provide a more complete picture than either alone.