We design our information security management system in line with industry-standard control frameworks such as ISO27001, SOC 2, SOC 1 & HIPAA

ISO 27001

ISO 27001 is a specification for an information security management system (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation’s information risk management processes.

LawVu achieved ISO27001 in April 2019 and maintains annual internal and external audits to keep our certification current.

Our statement of applicability and certification documents are available as part of the LawVu security pack.

SOC 1

SOC 1 (System and Organization Controls) is a regularly refreshed report of the internal controls that are likely to be relevant to an audit of a customer’s financial statements. LawVu was first audited for SOC1 compliance in February 2021. Our full report is available as part of the LawVu security pack.

SOC 2

SOC 2 (System and Organization Controls) is a regularly refreshed report that focuses on non-financial reporting controls as they relate to security, availability, and confidentiality of a cloud service. LawVu was first audited for SOC2 compliance in January 2020. Our full report is available as part of the LawVu security pack..

HIPAA

HIPAA is the Health Insurance Portability and Accountability Act that was passed by US Congress in 1996 for the protection of health information. LawVu has achieved an independent seal of compliance from AssuranceLab and continues to work with them on an ongoing basis to maintain and illustrate compliance.

CCPA

CCPA is a Californian law that protects the privacy and security of personal data that was passed by the California State Legislature in 2018. LawVu has achieved an independent seal of compliance from AssuranceLab and continues to work with them on an ongoing basis to maintain and illustrate compliance.

GDPR

GDPR is an EU law that protects the privacy and security of personal data that was approved by the European Parliament in 2016. LawVu has achieved an independent seal of compliance from AssuranceLab and continues to work with them on an ongoing basis to maintain and illustrate compliance.

Risk management

At LawVu we maintain a comprehensive risk management program.

Annual risk assessments require participation from the whole organisation to identify risk across the entire company.

Our risk assessment standard utilises an evaluation matrix based around confidentiality, integrity and availability (CIA) and our treatment policy requires the application of applicable controls from the ISO27001 standard to mitigate all identified risks.

The risk assessment and treatment plan are reviewed by senior management to ensure that all residual risks are understood and accepted and a risk assessment report is produced.

Risk assessments are also triggered after any major change.

Supplier relationships

LawVu seeks to maintain the security of our sensitive data and systems whenever they are accessed, processed or managed by external parties. Therefore, the risks to our data and systems from external parties are quantified, and appropriate controls implemented before access is granted.

Where sensitive information is shared with external service providers, the commercial agreement will specify their information security responsibilities. External service providers who handle our sensitive information will agree to adhere to our information security policy. LawVu also maintains the right to audit external parties that handle our sensitive information.