Expert Advice Community

Guest

Company Acquisition and Integration ISO27001

  Quote
Guest
Lajvar Created:   Apr 25, 2023 Last commented:   Apr 26, 2023

Company Acquisition and Integration ISO27001

If Company X acqcuires a company Y, which is the process to follow to integrate the certification ISO27001, because both companies are certified, but the company Y will be under the Company X so the certification of company X can cover also to the company Y? in this case how should work the future audit process to include the company Y into the  ISMS scope, taking in account that company Y has their own governance, and their own departments as HR, IT, Financial etc.

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Apr 26, 2023

Company Y can be included in the scope of company X. You can think that as an addition in the company X ISMS scope, and for that company X needs performing all sequential steps after a scope update with some adjustments:

  1. reviewing ISMS basic framework (e.g., scope, objectives, organizational structure), considering the organizational context of both companies and requirements of interested parties;
  2. review of risk assessment and treatment methodologies, to see which elements can be handled together and which ones need to be kept separate;
  3. review the risk assessment and define the updated risk treatment plan;
  4. adjustment of implemented controls when necessary (e.g., policies and procedures documentation, acquisitions, etc.), as well as the implementation of new controls required due to the new context;
  5. people training and awareness;
  6. controls operation;
  7. performance monitoring and measurement;
  8. perform an internal audit.
  9. perform management critical review; and
  10.  address nonconformities, corrective actions, and opportunities for improvement.

These articles will provide you with additional information:

Regarding how to audit this new scope, you may have these options:

  • perform a single audit covering both companies
  • perform separate audits for each company
  • perform separate audits covering similar areas in both companies (e.g., one audit covering HR of both companies X and Y) and audits related to specificities of each company (e.g., one audit for R&D of company X and one audit for R&D of company Y)

Examples of criteria you can use to decide how to define the audits are the complexity of execution, availability of auditors, size of organizations, and number of employees.

For further information, see:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Apr 25, 2023

Apr 26, 2023