LOCS:23 is currently the buzzword for legal service providers as more and more law firms and chambers start to go for certification. By achieving LOCS:23 certification, legal firms validate their practices against a robust security framework that tests their ability to protect sensitive information. This certification indicates a strong privacy and data security culture that impacts every aspect of a company’s operations. 






With the increasing interest in LOCS:23 we sat down and spoke with the scheme owner Tim Hymann, from 2twenty4 Consulting, in order to gain a better understanding of the background of LOCS:23 and the journey to becoming the first sector-wide, ICO, approved standard for GDPR. We have taken some of the answers from the conversation and shared them below;



What were you doing before LOCS:23?

“I have been in and around legal for over 25 years. I became the IT Director at Olswang back in 1996 and went on to roles at Harbottle & Lewis, Taylor Wessing and Reed Smith amongst others. I decided to make the jump to independent consultancy and created my own company 2twenty4 Consulting in 2016.”



What was it that caused you to start your journey to create LOCS:23?

“I worked with a number of International Organisations including the Council of Europe, IFAD, the Inter-American Development Bank and the Organisation for the Prohibition of Chemical Weapons. Somewhat uniquely, these organisations have privileges and immunities to law which means the GDPR or any other data protection legislation does not apply. 


The EU determined that despite these immunities where they provided funds to these organisations they would insist on an equivalent level of protection to GDPR. They called this the ‘Pillar 9 Assessment’ and instructed auditors (such as Deloitte and EY) to ascertain the level of data protection in these organisations.


In helping these IOs to prepare I realised the value of a physical audit and went on to develop a prescribed set of controls that the GDPR could be measured against.”



How long has it taken to get LOCS:23 to become approved by the ICO?

“I submitted the LOCS:23 scheme application in August 2021.”



What was the biggest challenge you faced?

“The biggest challenge has been taking elements of legislation that can be fairly vague such as ‘large volumes’ where large is not defined and creating controls that satisfy the ICO interpretation of compliance, the auditor’s ability to pass/fail and the business ability to apply practically.”



What has been the biggest learning from the pilot scheme?

“The biggest learnings came from the pilot organisations’ interpretation of the controls. A number of controls required further clarity which led to enhanced supporting notes which in turn had to be approved by the ICO before final approval was granted.”



Does the LOCS certification change depending on the size of the legal service provider?

“No – it is a one-size-fits-all standard”



What do you look for when choosing an approved solution?

“The solution provider MUST demonstrate how their solution if used appropriately can assist an organisation on their LOCS certification journey by meeting one or more of the LOCS controls.”



Why was Arx chosen as an approved solution?

“ARX demonstrated how a firm using its Risk Management Platform would enhance third-party due diligence and clearly meet a number of the LOCS:23 controls.”




Want to find out how we can help your company with LOCS:23? Download our introduction brochure here!

Arx Alliance has been chosen as a LOCS:23 Approved Solution, offering a unique platform for legal service providers to manage third-party cyber risks and vendor engagements efficiently. The Arx platform simplifies the LOCS:23 standard, enabling firms to conduct gap analyses independently before consulting external experts.

For legal service providers aiming to demonstrate their commitment to data protection and gain a competitive advantage, achieving LOCS:23 certification is a strategic move. Reach out to our team to learn how we can assist your firm in navigating the path to LOCS:23 certification.



Protect your firm with Arx Alliance

The Arx platform is unique. Our approach is collaborative rather than prescriptive. We give you the tools and the framework to create robust, secure supply chains in a way that is effective, and cuts through the noise and jargon of a complex industry.

Over time, through a guided step-by-step process, we can help you identify and mitigate risks inside your own organisation, and collaborate with your suppliers to create robust, secure supply chain relationships.

Arx provides your firm and suppliers with a suite of tools:

  • Visibility of the organisation’s attack surfaces
  • Efficient control of cyber policies and standards
  • Central place for managing standards and controls
  • Continuous monitoring of all touch points
  • Situational awareness for all tiers of supply chain
  • Risk score suppliers to highlight weak links