We design our information security management system in line with industry-standard control frameworks such as ISO27001, SOC 2 and SOC 1
ISO 27001 is a specification for an information security management system (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation’s information risk management processes.
LawVu achieved ISO27001 in April 2019 and maintains annual internal and external audits to keep our certification current.
Our statement of applicability and certification documents are available as part of the LawVu security pack.
SOC 1 (System and Organization Controls) is a regularly refreshed report of the internal controls that are likely to be relevant to an audit of a customer’s financial statements.
LawVu was first audited for SOC1 compliance in February 2021. Our full report is available as part of the LawVu security pack.
SOC 2 (System and Organization Controls) is a regularly refreshed report that focuses on non-financial reporting controls as they relate to security, availability, and confidentiality of a cloud service.
LawVu was first audited for SOC2 compliance in January 2020. Our full report is available as part of the LawVu security pack.
At LawVu we maintain a comprehensive risk management program.
Annual risk assessments require participation from the whole organisation to identify risk across the entire company.
Our risk assessment standard utilises an evaluation matrix based around confidentiality, integrity and availability (CIA) and our treatment policy requires the application of applicable controls from the ISO27001 standard to mitigate all identified risks.
The risk assessment and treatment plan are reviewed by senior management to ensure that all residual risks are understood and accepted and a risk assessment report is produced.
Risk assessments are also triggered after any major change.
LawVu seeks to maintain the security of our sensitive data and systems whenever they are accessed, processed or managed by external parties. Therefore, the risks to our data and systems from external parties are quantified, and appropriate controls implemented before access is granted.
Where sensitive information is shared with external service providers, the commercial agreement will specify their information security responsibilities. External service providers who handle our sensitive information will agree to adhere to our information security policy. LawVu also maintains the right to audit external parties that handle our sensitive information.
Request a copy of our security pack
The LawVu Security pack contains everything your organisation needs to get started on a security assestment of LawVu.