Company Acquisition and Integration ISO27001
If Company X acqcuires a company Y, which is the process to follow to integrate the certification ISO27001, because both companies are certified, but the company Y will be under the Company X so the certification of company X can cover also to the company Y? in this case how should work the future audit process to include the company Y into the ISMS scope, taking in account that company Y has their own governance, and their own departments as HR, IT, Financial etc.
Assign topic to the user
Company Y can be included in the scope of company X. You can think that as an addition in the company X ISMS scope, and for that company X needs performing all sequential steps after a scope update with some adjustments:
- reviewing ISMS basic framework (e.g., scope, objectives, organizational structure), considering the organizational context of both companies and requirements of interested parties;
- review of risk assessment and treatment methodologies, to see which elements can be handled together and which ones need to be kept separate;
- review the risk assessment and define the updated risk treatment plan;
- adjustment of implemented controls when necessary (e.g., policies and procedures documentation, acquisitions, etc.), as well as the implementation of new controls required due to the new context;
- people training and awareness;
- controls operation;
- performance monitoring and measurement;
- perform an internal audit.
- perform management critical review; and
- address nonconformities, corrective actions, and opportunities for improvement.
These articles will provide you with additional information:
- Three strategies for ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/#options
- ISO 27001 implementation steps https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
Regarding how to audit this new scope, you may have these options:
- perform a single audit covering both companies
- perform separate audits for each company
- perform separate audits covering similar areas in both companies (e.g., one audit covering HR of both companies X and Y) and audits related to specificities of each company (e.g., one audit for R&D of company X and one audit for R&D of company Y)
Examples of criteria you can use to decide how to define the audits are the complexity of execution, availability of auditors, size of organizations, and number of employees.
For further information, see:
- ISO 27001 internal audit: The complete guide https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
Comment as guest or Sign in
Apr 26, 2023