Information Security Program Overview and Governance

ISO 27001:2022, ISO 27701:2019 and ISO 22301:2019 Certified

Systems and data are protected by a comprehensive ISO 27001:2022,  ISO 27701:2019, and ISO 22301:2019 certified security program and framework that supports:

  • Cybersecurity Maturity Model Certification (CMCC)
  • EU General Data Protection Regulation (GDPR)
  • United States privacy regulations such as California Privacy Rights Act (CPRA) and Virginia Consumer Data Protection Act (VCDPA)
  • American Bar Association’s Formal Opinion 477R for Securing Communication of Protected Client Information
  • United Kingdom privacy regulations
  • China privacy regulations

Dedicated security, privacy, information governance, and compliance professionals maintain the program with oversight provided by senior management through Cooley’s internal Information Security and Privacy Forum. The Information Security Forum conducts an annual risk assessment, reviews risks regularly and tracks risks using a process compliant with ISO 27005.  The following policies govern the program:

Acceptable Use Policies  Security Policies
Access Asset & Risk Management
Passwords Human Resource Security
Mobile Device/BYOD Awareness & Education
Remote Access Physical and Environmental Security
Electronic Communications Operational Security
Internet Usage Privileged Account Management
Data and Information Vendor/Supplier Management/Onboarding & Monitoring
Media Handling Security and Privacy Incident Management
Software and Application use                      Encryption
  Change Management
  Business Continuity / Disaster Recovery



The firm is audited annually, both through an independent internal audit function and through a certifying body, under the ISO 27001:2022, ISO 27701:2019 and ISO 22301:2019 frameworks.  Additionally, the firm regularly monitors and audits its security and information governance people, processes, and controls to ensure compliance with policies and applicable security and privacy standards.  The firm conducts an independent external penetration test annually and regularly scans its external and internal network for vulnerabilities.  The firm’s security program is regularly audited by its clients. 


The firm maintains its systems and data in hardened SOC 2 Type 2 certified datacenters.  Data and systems are replicated and backed up to secondary datacenters.  Systems are securely designed, and all systems are reviewed by the security team before being put into production. 

Perimeter Security

The firm protects data, servers, and endpoints on the network using a variety of best-of-breed security controls, including next generation firewalls, web filtering gateways, email gateways, honeypots, IDS/IPS, and targeted attack protection.  This allows the firm to block access to suspicious and malicious sites, IP’s, emails, and attachments.  Targeted attack protection is used to find and mitigate zero-day attacks through email by using URL rewrites, attachment sandboxing, and email recalling.   

Data Controls

Client data is classified, protected according to its classification, encrypted at rest and in transit, logically separated and access granted to authorized users only.  File integrity monitoring systems log and monitor access to data while data loss prevention systems control the movement of data inside and outside of the firm.

Access Controls

Access and processing capabilities are limited to authorized users from authorized devices.  A unique user ID with a complex password that rotates every 120 days is assigned to every authorized user and is required to login.  Remote access requires 2-factor authentication using tokens that randomly re-generate every 60 seconds.  Privileged system credentials are stored, managed, and tracked in a privileged account management system.

Endpoint Security

All workstations and mobile devices are encrypted with whole disk encryption and require a password, pin, or biometrics to access.  Workstation inventories, software deployment, and security policies are controlled through Microsoft’s SCCM.  Only authorized software can be installed through the firm’s software library.  All mobile devices require registration with the firm’s mobile device management system.  Workstations and servers are protected with advanced endpoint protection, which uses AI to assist in combating threats.  Portable workstations left unattended in Cooley offices are physically secured.

Incident Response

The firm’s Security Incident Response Plan dictates all security events be evaluated and escalated when appropriate.  A security information and event management (SIEM) system maintains and analyzes all security logs.  Logs are regularly reviewed for suspicious activity and unusual behavior by dedicated security personnel.  Memberships with the International Legal Technology Association (ILTA), Legal Services Information Sharing and Analysis Organization (LS-ISAO) and FBI InfraGard, along with close working relationships with law enforcement, provide additional threat intelligence and analysis.  The firm has cyber insurance.    

Business Continuity & Disaster Recovery

The firm has a business continuity & disaster recovery plan that is regularly tested.  Firm and client information is protected by high availability systems, backup services, data replication, and redundant co-located, geographically dispersed datacenters. 

Awareness and Education

Employees are required to attend annual security awareness training.  Monthly newsletters and, when warranted, security alerts reinforce awareness and education through the year. 

Vendor Management

The security team assesses all vendors against a series of criteria based on the ISO 27001:2022 standard and CIS Critical Security Controls before granting a vendor system access or placing systems into operation. Each vendor undergoes a privacy impact assessment, and all contracts and data processing agreements are reviewed by attorneys before execution.  Vendors are only granted access to the information required to perform their duties under the agreed upon statement of work.  A vendor access management system controls and logs all vendor access to firm systems and data.