What is Cyber LOCS?
Cyber LOCS is a suite of information security services, exclusively offered by Oyster IMS
Cyber LOCS helps law firms prepare for LOCS:23 certification, ensuring their compliance with the Technical Security Measures listed in LOCS:23 8.3.1 .
The LOCS:23 standard is the only official, ICO-approved certification of GDPR compliance. This is independently audited evidence of compliance with the legal standards for UK GDPR.
It applies to both Data Controllers – including law firms and barristers – and Data Processors – primarily legal tech vendors -each requiring similar security measures.
Why do I need Cyber LOCS?
While a growing number of law firms are working towards their LOCS:23 accreditation, some are struggling to meet the specific cyber security requirements of the standard (see “Technical Security Measures” below.)
If you have achieved ISO 27001 certification, you will find some significant overlap, which will help you towards the information security aspects of LOCS:23. If you have Cyber Essentials or Cyber Essentials Plus, there is more work to do.
For example, do your existing measures cover all these LOCS:23 requirements?
| Writing security policies and procedures | Penetration tests |
| Putting in place BCP/DR plans | Vulnerability scans |
| Implementing retention and disposition | Training |
| Documented systems map | Role-based access control |
| Robust backup and restore processes | Asset management |
| Encryption in place | DLP |
| MFA | Threat Detection |
| MDM |
Key questions to consider
- Are you ISO27001 certified or NIST compliant for your client data file systems?
If so, you’re more likely to be in a good position to meet the Cyber LOCS requirements. - Do you have documented security policies and procedures in place, and are they followed?
If you have good information security documentation and evidence of compliance, the LOCS:23 requirements will be more achievable. - Are your IT services outsourced or in-house?
The LOCS:23 information security requirements are quite specialised, you may find that existing services don’t have all the necessary knowledge.
How can Oyster help with Cyber LOCS?
For maximum flexibility, we offer several engagement options:
- A Cyber LOCS Assessment
Essentially this is a focused Information Security Audit, measuring your firm’s current performance against the technical requirements of LOCS:23. This leads to a gap analysis, and a recommended action plan. - Cyber LOCS Project Management
Oyster will plan, design and work with your team to deliver parts of the action plan. - Cyber LOCS as a Service
Like our established InfoSec Manager as a Service (ISMaaS) , Oyster can provide CyberLOCS support as a planned, or on-demand, service with assistance when needed. - Full LOCS23 services including CyberLOCS
Oyster can provide an integrated package to prepare for LOCS:23 certification, including all appropriate aspects of both Data Protection and Information Security.
We have started our LOCS:23 plans, but our consultants need support on the Information Security aspects. Can Oyster help?
Absolutely, Cyber LOCS can support specialist consultancies, as well as law firms and legal service providers.
Technical Security Measures
These are the LOCS:23 security measures covered by Cyber LOCS:
Incident Response
Assistance with reporting and remediating cybersecurity incidents.
Scope: Personal Data Breaches.
Description: Ensuring your breach reporting processes meet the requirements of the jurisdictions in which you operate. Providing assistance with liaising with regulators such as the ICO and DPC.
Frequency: Minimum – Annual Review of status. Assistance – as required.
Advantages: Oyster’s established DPO as a Service is available to customers for management of cyber incidents.
Backup Restore Review
Review and recommend appropriate data backup restore provisions.
Scope: All systems (on-premise or cloud hosted).
Description: A review of your Business Continuity and Disaster Recovery requirements for systems and data. A review of your current backup/restore processes and a set of recommendations for improvement.
Frequency: Minimum – Annual Review of status.
Advantages: Experienced Information Governance, Data Protection, and Information Security consultants who understand data criticality and can ensure your processes provide you with the resilience you need. For M365, Oyster IMS partners with Skykick who offer the most intelligent solution for secure, automated & customer-centric data protection.
Information Security Policy Review
Review of internal policies to ensure organisations have appropriate levels of governance in place
Scope: Existing policies (review/update) or missing policies (drafting).
Description: A review of your Information Security Policy suite in compliance with a standard or framework, or against a list that Oyster IMS believes are essential, particularly for smaller companies.
Frequency: Minimum – Annual Review of status to ensure policies remain fit for purpose.
Advantages: With ISO 27001 qualified implementers and auditors, combined with knowledge of NIST and other frameworks, Oyster IMS can assist your company in the production of a compliant, pragmatic policy suite that doesn’t just lie unused on the shelf.
Cybersecurity Awareness Training
Combine the results of online training and assessment with phishing simulation campaigns to identify and support client organisations.
Scope: All employees, with an option for more tailored content specific to department or key users.
Description: Can be offered as a fully managed service or an assisted implementation. The platform provides regular microlearnings and AI-driven phishing simulations.
Frequency:
Training content: minimum – annual. Recommended – little and often throughout the year.
Phishing Simulations: minimum – every 6 months. Recommended – every two weeks.
Advantages: Structured curriculum content that can also be tailored to your requirements. Ability to create custom training courses to supplement the curriculum. Automated and manual scheduling of phishing simulations. AI-assisted phishing simulation generation. Threat alerts and advice keeping your users informed. (more info…)
Data Leakage Protection (DLP)
Assess current practices and recommend solutions to prevent data leakage.
Scope: All systems containing data of value to your company
Description: Via interviews we gain an understanding of your company data and any existing solutions you have in place. Typically this will cover a review of any data classification schemes, labelling processes, DLP rules and actions.
Frequency: Minimum – Annual status review.
Advantages: Experienced Information Governance team with knowledge of the challenges in implementing an effective DLP program, including the use of sensitive information types for adherence with Data Protection principles.
Penetration Testing
Using ethical hackers, we attempt to gain access to client systems, identify gaps/weaknesses and work in partnership to proactively remedy key vulnerabilities.
Scope: External systems, internal systems, specific applications or websites.
Description: Penetration Testing takes vulnerability management to the next level by attempting, with your permission, to exploit any vulnerabilities present in your IT estate and providing you with a report and an understanding of what could be exploited by a threat actor.
Frequency: Minimum – Annual. Recommended – at least every six months
Advantages: Oyster IMS partner with Cobalt, the leading Penetration Testing as a Service (PTaaS) provider to give you access to 450+ testers in over 75 countries and the ability to start a penetration test in a little as 24 hours from defining the scope. Oyster IMS will work with you to understand your business and requirements and then use that knowledge to assist you in understanding the test outputs and reports.
IT Vulnerability Scan
Oyster IMS conducts periodic vulnerability scans to identify vulnerabilities in internal and external IT security. Ensure proactive support to remedy key vulnerabilities.
Scope: Scope can be tailored to your requirements. External facing systems; internal systems; individual assets;
Description: The engagement will involve scanning your network for assets and then running vulnerability scans on all those assets, or a chosen selection.
We will then provide you with a report and recommendations to resolve any vulnerabilities or misconfigurations.
Frequency: Monthly – recommended
Advantages: Oyster IMS uses Nessus, the widely recognised #1 vulnerability scanner with the widest vulnerability coverage in the industry combined with the lowest false positive rate meaning that you can have confidence in the scan results.
Security Audit
Consultancy to provide an information security ‘health check’ or maturity assessment with gap analysis report and recommendations to remediate.
Scope: Depending on requirements, scope can be a single system, a single department, or a company’s entire IT estate.
Description: Our assessments can provide you with insight into your compliance against a recognised standard or framework, or an overall view of your security maturity. The engagement will take the form of several interviews and may also involve reviewing evidence to support your answers (dependent on the assessment chosen).
Frequency: Minimum – Annual Review of status
Advantages: Wide range of assessments available to suit your requirements (Standards/Framework based – ISO 27001, NIST CSF, CIS Controls, NCSC CAF, Cyber Essentials/Cyber Essentials Plus).