Regulated legal client — VMaaS and reporting cadence.
An SRA-regulated UK firm needed a defensible, repeatable vulnerability process that would satisfy both ISO 27001 surveillance audits and corporate client assurance reviews.
- Sector
- Legal services
- Headcount
- 150–250 fee-earners, three UK offices
- Regulatory context
- SRA-regulated; ISO 27001 certified; corporate client audits
- Services engaged
- Vulnerability Management as a Service (VMaaS); compliance reporting support
- Engagement type
- Ongoing managed service
- Duration
- Placeholder — insert engagement length
Published with the client's written permission. Identifying details have been generalised.
Defensible coverage across a mixed estate.
The firm operated a mixed estate of partner laptops, an on-premise document management system and a growing cloud footprint following a hybrid-working programme. A recent client audit from a regulated corporate counterparty raised concerns about the consistency and timeliness of vulnerability identification across that estate.
Internal IT capacity was focused on service delivery, leaving limited bandwidth for continuous vulnerability assessment, prioritisation and evidenced remediation. The Information Security Manager needed a repeatable process that would satisfy ISO 27001 surveillance audits and client assurance questionnaires.
Scoped jointly, governed jointly.
A fixed-fee scoping workshop produced an agreed asset inventory, scan windows that respected fee-earner working patterns, and a joint governance model with the firm's IT and Risk functions.
Onboarding was phased: the partner estate first, then infrastructure, then cloud workloads. Decision rights, escalation paths and a risk acceptance process aligned to the firm's existing Information Security Committee were documented before the first scan cycle.
Operating model, not just tooling.
- Authenticated and unauthenticated scanning across in-scope assets on an agreed cadence.
- Risk-based prioritisation aligned to the firm's asset criticality classification.
- Remediation tickets raised in the firm's existing service management tooling, tracked through to closure.
- Formal risk acceptance workflow for vulnerabilities the firm elected not to remediate, with rationale, owner and review date.
- Defined service levels for triage of newly disclosed critical vulnerabilities.
Qualitative, evidenced, audit-ready.
- A single, consolidated view of vulnerability posture across the firm's estate, replacing fragmented point-in-time assessments.
- A documented, repeatable process presented during client assurance reviews and ISO 27001 surveillance audits.
- Improved alignment between IT operations and the Information Security Committee, with vulnerability data informing prioritisation.
- Reduced reliance on ad-hoc internal effort to compile evidence for client questionnaires.
Cadence that survives an audit.
- Monthly operational report: scan coverage, new and resolved findings, ageing analysis, remediation throughput.
- Quarterly governance pack: trend analysis, risk acceptance register, recommended priorities, presented at the firm's Information Security Committee.
- Annual assurance summary: consolidated evidence pack referenced during ISO 27001 surveillance and shared with client auditors under NDA.
- Full scan history, ticket lineage and meeting minutes retained as audit evidence.
Extending scope, sustaining cadence.
The next phase extends scanning coverage to a recently acquired office and introduces a phishing awareness programme alongside the existing VMaaS service. An annual governance review is scheduled to reassess asset classification and risk appetite ahead of the firm's next ISO 27001 recertification.
"Placeholder pull-quote from a named senior stakeholder — to be approved by the client before publication."
Security services materially reduce risk and improve detection and response, but no provider can guarantee prevention of incidents. Responsibility for compliance certification remains with the customer.
Book a fixed-fee scoping workshop.
We'll outline an engagement shaped around your sector, scale and regulatory context.