Shook Hardy & Bacon Case Study | Schellman

Contact Us

Services

Suite of Services

Schellman began as a SOC audit firm 20+ years ago. While we still issue more than 2,000 SOC reports each year, our clients’ trust has propelled our expansion. Today, we offer nearly 60 types of audits and assessments delivered by full-time employees. No outsourcing. No compromises.

Download a PDF of All Services

Learning Center

Our Technology

About Us

About Us

Schellman is the only Top 50 CPA firm focused exclusively on IT Compliance and Cybersecurity, and we’re the #1 service provider for FedRAMP Assessments.Our industry-leading NPS scores, client retention, and employee retention (low-to-no team churn = less audit fatigue) mean our clients experience greater continuity and quality.We also understand how distracting unplanned work can be, so we focus on client-centric KPIs to help keep your business moving uninterrupted.

ISO Certificate Directory

Services

Services

View All Services

SOC & Attestations

SOC & Attestations

SOC 1 / SSAE 18 Examination

SOC 2 Examination

SOC 3 Examination

SOC for Supply Chain

SOC for Cybersecurity

C5 Attestation

CSA STAR Programs

Payment Card Assessments

Payment Card Assessments

PCI DSS Validation

PCI SSF

PCI P2PE Validation

PCI PIN Assessments

PCI 3DS Compliance

ISO Certifications

ISO Certifications

ISO 27001

ISO 42001

ISO 27701

ISO 9001

ISO 22301

ISO-20000-1

Privacy Assessments

Privacy Assessments

APEC Certification

GDPR Assessment

International Privacy Assessments

US State Privacy Assessments

Microsoft SSPA/DPR Assessment

Privacy Program Assessment

FERPA Assessment

EU Cloud Code of Conduct

Federal Assessments

Federal Assessments

FedRAMP®

CMMC / NIST SP 800-171

FISMA/NIST

ITAR

CJIS

IRAP

FTC Consent Decrees

Healthcare Assessments

Healthcare Assessments

HITRUST CSF Certification

HIPAA Compliance

HIPAA Express

EPCS-DEA Audits

Health Data Host (HDS) Certification

Penetration Testing

Penetration Testing

Application

Network

Mobile

Social Engineering

Cloud

Physical

Hardware and IoT

Advanced Series

Cybersecurity Assessments

Cybersecurity Assessments

Cloud Configuration Assessments

Ransomware Assessments

NIST Cybersecurity Framework Assessments

Schellman Software Security Assessment (S³A)

TISAX®

SWIFT Customer Security Programme

Internal Audit Co-Sourcing

Crypto and Digital Trust

Crypto and Digital Trust

Schellman Training

Schellman Training

Sustainability Services

Sustainability Services

AI Services

Learning Center

Our Technology

About Us

About Us

Leadership Team

Leadership Team

Corporate Social Responsibility

Corporate Social Responsibility

Careers

Strategic Partnerships

Strategic Partnerships

ISO Certificate Directory

For more than a century, the world’s leading companies have turned to Shook, Hardy & Bacon to protect their business investments and maximize growth opportunities both inside and outside the courtroom.

One of the nation’s largest and most prestigious law firms, Shook, Hardy & Bacon deals with a variety of sensitive client data, and as a result, must have secure and compliant business practices. Attorneys and other legal professionals handle an abundance of client data, but many law firms aren’t equipped with the IT-focused staff needed to stay abreast of compliance issues, let alone put practices in place to ensure client and firm data is protected. The seventh most frequent target by cyber criminals—the legal industry—is facing increased pressure from clients to protect their information.

Shook, Hardy & Bacon wanted to be proactive and ensure it was protecting its clients’ information while following best practices for information security internally. To accomplish this, the firm established an information governance committee of more than a dozen members; it included the firm’s CIO, General Counsel, attorneys, additional IT team members and members of management. “The committee meets on a regular basis to talk about trends in the industry, trends in general, and what is happening inside of our firm,” explained John Anderson, CIO of Shook, Hardy & Bacon.

Securing Client Data with ISO 27001

Shook, Hardy & Bacon’s information governance committee wanted to have a framework and methodology in place to guarantee it was following best practices for information security throughout the firm. It also wanted to have third-party verification that proved its efforts to outside parties.

In 2013, one of the trends the committee had been eyeing was the ISO 27001 certification, which, according to Anderson, was a relatively new certification to have in the legal industry.

To get started, the firm worked with an independent security consultant to create a roadmap for the ISO 27001 certification. The security consultant then recommended the firm use Schellman & Company for its audit.

“It’s very important for our clients to know their information is properly safeguarded, and the ISO 27001 certification is a way for us to prove that we have strong information security practices that are verified by a third-party auditor.”

John Anderson | CIO | Shook, Hardy & Bacon

“Shook, Hardy & Bacon saw this as an opportunity for them to broadcast that it takes information security very seriously,” said Ryan Mackie, ISO Certification Practice Director at Schellman & Company.

In 2014, the Schellman & Company team came to Shook, Hardy, & Bacon’s Kansas City headquarters to conduct the first audit and returned a month later to conduct the final audit.

How Law Firms Benefit From an ISO 27001

Among the first U.S.-based law firms to receive an ISO 27001 certification, Shook, Hardy & Bacon has used it as a competitive advantage and has also been able to create an internal culture of information security.

“Everyone knows their responsibilities and obligations, and we conduct annual training and ongoing awareness to reinforce it,” Anderson said of the firm’s culture of information security. “Many of our clients tell us they appreciate our approach toward information security, and that our ISO 27001 certification is proof of our commitment.”

Anderson continued: “We always had an information security awareness program that let everyone know what their responsibilities and obligations were, but after we developed the additional policies and procedures that are required for ISO 27001 certification, we were able to require everyone in the firm to read and acknowledge those policies. We also conduct annual training to reinforce the policies and obligations.” Shook, Hardy & Bacon’s commitment to information security is allowing the firm to blaze new trails in the legal industry, according to Mackie.

“They’re considered a trailblazer and we definitely applaud them,” said Mackie. “It’s a big effort for any organization to undertake, specifically one like a law firm, not to mention a law firm that didn’t have necessarily a direct customer requirement. It was a great experience because they see the value of compliance.”

Thanks to Schellman’s professionalism, Anderson sees the two companies continuing to work together. “They clearly understand security and were always prepared,” said Anderson. “They always treated us very respectfully, and we enjoyed working with them and look forward to working with them in the future.” Given the massive amounts of data law firms handle today, it’s only a matter of time before ISO 27001 will become commonplace in the legal industry, according to Mackie.

“For law firms considering ISO 27001, I don’t think there’s any better tool to have in their compliance stack than this one. ISO 27001 lets firms communicate to their customers that they’re serious about their data, where it’s stored and who has access to it.”

Ryan Mackie | ISO Certification Practice Director | Schellman

Among the first U.S.-based law firms to receive an ISO 27001 certification, Shook, Hardy & Bacon has used it as a competitive advantage and has also been able to create an internal culture of information security.

Services Provided

ISO 27001

Download Full Case Study