CLIENT REQUIREMENT FOR ISO 27001:2022

Maintaining client trust and protecting sensitive legal data was required to continue their business. Hicks Thomas LLP identified the need for a structured Information Security Management System aligned with ISO/IEC 27001:2022 requirements. The organization decided on ISO 27001: 2022 compliance to strengthen its data protection protocols. In addition, certification provides independent validation of information security controls against ISO/IEC 27001:2022.

AUDIT ENGAGEMENT APPROACH

CertPro conducted the ISO/IEC 27001:2022 audit using a structured, evidence-based methodology aligned with standard audit practices.

Phase 1: Audit Scoping and Planning:

CertPro defined the audit scope, including in-scope systems, business processes, and information assets. Audit criteria were established based on ISO/IEC 27001:2022 requirements.

Documentation requirements and timelines were communicated, and evidence access was coordinated with Hicks Thomas LLP.

Phase 2: Evidence Review and Control Evaluation:

CertPro reviewed documented policies, procedures, and ISMS records.

Controls were evaluated against ISO/IEC 27001:2022 clauses and Annex A requirements.

The audit assessed whether controls were appropriately designed and supported by verifiable documentation.

Phase 3: Control Testing and Audit Validation:

CertPro performed detailed testing of control implementation through inquiry, inspection, and observation.

Evidence such as access records, policy enforcement, and operational logs was examined to confirm control execution.

Any nonconformities were identified and documented with clear reference to applicable ISO requirements.

Phase 4: Audit Reporting and Certification Outcome:

CertPro compiled the audit report based on evidence reviewed during the engagement.

Findings were documented with supporting evidence, severity classification, and standard references.

Following satisfactory closure of applicable nonconformities, certification was issued by the accredited certification body.

AUDIT OUTCOMES AND OBSERVATIONS

Strengthened Information Security Controls: The audit confirmed that Hicks Thomas LLP established and maintained documented information security controls aligned with ISO/IEC 27001:2022 requirements. This included access control practices, workforce-related controls, and operational policies such as clear desk and clear screen procedures.

Improved Control Awareness Across Workforce: Evidence reviewed during the audit indicated increased awareness of information security responsibilities across personnel. Training records and policy acknowledgments supported consistent understanding of security practices, including incident reporting and data handling requirements.

Structured Risk Identification and Treatment: The ISMS framework supported a formal approach to identifying, assessing, and addressing information security risks. Risk registers, treatment plans, and monitoring activities demonstrated an ongoing process for managing potential threats.

Defined Access Control and Accountability: The audit verified that access to information assets was defined, documented, and controlled. User access provisioning, review mechanisms, and accountability structures were supported by verifiable evidence.

Independent Certification Outcome: Successful ISO/IEC 27001:2022 certification provided independent validation of Hicks Thomas LLP’s information security management system. This outcome supports client, partner, and regulatory confidence in the organization’s control environment.

CONCLUSION

The ISO/IEC 27001:2022 audit provided an evidence-based evaluation of Hicks Thomas LLP’s information security management system. Audit results confirmed alignment with applicable standard requirements based on documented controls and observed practices.

Certification was issued by the accredited certification body following completion of the audit and closure of applicable nonconformities. The engagement reflects a structured audit process focused on control effectiveness, documentation integrity, and independent validation.