6 Important Questions Law Firms Should Ask Their Prospective Suppliers of New Software

When bringing onboard new practice management software partners, or any new technology partners, there are many cyber security-related questions we’d highly recommend law firms should ask. You cannot delve too deeply into a new suppliers’ cyber security credentials. As we keep reiterating throughout this blog, these measures probably apply to law firms more than most other business, purely because of the highly sensitive nature of the information they hold on behalf of clients. This, coupled with high levels of cybercrime affecting the profession today, probably makes information security one of the most important aspects of any law firm check-list when signing up with a new IT/software partner.

The top 6 security questions we believe a law firm should ask of any prospective software or IT services provider are:

1. How secure is their datacentre for SaaS?

For firms going with a cloud solution can your supplier prove they operate their SaaS solution (i.e. for cloud hosting) within an ISO 27001 certified datacentre?  ISO 27001 is the international standard that stipulates best practice for an information security management system.

2. How seriously does the prospective supplier take information security?

Can your supplier prove THEY themselves are also ISO 27001 certified? Certification to ISO 27001 demonstrates that an organisation is following robust information security best practices. Some suppliers say they have ISO 27001 certification when in fact it is only specifically their third-party datacentre that has it. For belt and braces information security management your supplier themselves should have it too.

3. Ask for a penetration test report

Can your supplier present a recent penetration test report? Penetration testing (often referred to as pen testing) is the practice of testing a computer system, network or web application in order to find any vulnerabilities that could be exploited by a cybercriminal.

4. Can you see an audit trail?

Do you have access to an audit trail within your practice management software? i.e. are you able to see if users are accessing areas they shouldn’t?

5. Ask about security patching

Can your supplier demonstrate a robust security patching process within their SaaS infrastructure? i.e. for keeping up-to-date with Microsoft database security standards?

6. Ask about cyber essentials accreditation

Can your supplier prove they are Cyber Essentials accredited? Cyber Essentials is a government-backed cyber security certification scheme that sets out a good baseline of cyber security for organisations. The scheme is designed to prevent cyber-attacks.

More Cyber Security Resources from Access Legal


*Access Legal is the original source of this blog series: Cyber security for law firms.

Access Legal

Access Legal
Working in partnership with more than 3,500 UK law firms and underpinned by over 30 years of sector experience, Access Legal provides an unrivalled suite of complete software solutions. From case and practice management, finance, accounting and business intelligence to learning, compliance and HR – Access Legal helps firms take control of their time, improve efficiency and productivity. By providing software to manage every aspect of a firm’s operations, Access Legal enables ambitious firms to reach unlimited potential and have the freedom to focus on clients and people to drive profitability and growth. ​​​​Access Legal is part of The Access Group, a leading provider of business management software to mid-sized organisations. It helps more than 35,000 customers across commercial and not-for-profit sectors become more productive and efficient. Its innovative Access Workspace cloud solution transforms the way business software is used, giving every employee the freedom to do more. Founded in 1991, The Access Group employs more than 3000 staff.