Published on:

For LPOs you might retain, know the difference between certification and evaluation

An excellent article in Legal Tech. News, Feb. 2010 at 22-23, explains two ways that legal departments can assure themselves about the levels of control and security LPO vendors offer. The two ways are “a certification program, where the outsourcing vendor complies with a pre-described set of controls. A second is for the outsourcing vendor to be audited, based not on a predetermined set of controls but on the judgment of an independent third-party auditor.”

The author, Thomas Shaw, Thomas@tshawlaw.com writes about the ISO 27001 information security standard as an example of certification and SAS 707 as an example of an evaluation (audit) methodology. If a legal department has to choose between the two forms of assurance, Shaw favors the ISO good housekeeping seal because it prescribes a set of policies, procedures and controls. Additionally, it requires continuous improvement efforts. He closes with some other suggestions regarding confidentiality controls (See my post of June 9, 2009: ISO: 9001 accreditation for legal translation companies; April 28, 2009: ISO certification by a law firm; Nov. 25, 2009 #4: ISO 9001:2008 global quality management certification from Underwriters Laboratories; Dec. 23, 2009: SAS 70 and Serengeti; Dec. 30, 2009: LPO in India to receive an ISO 27001 certificate.).