Get 30% off on toolkits, course exams, and Conformio yearly plans.
Limited-time offer – ends April 25, 2024
Use promo code:

Expert Advice Community


Company Acquisition and Integration ISO27001

Lajvar Created:   Apr 25, 2023 Last commented:   Apr 26, 2023

Company Acquisition and Integration ISO27001

If Company X acqcuires a company Y, which is the process to follow to integrate the certification ISO27001, because both companies are certified, but the company Y will be under the Company X so the certification of company X can cover also to the company Y? in this case how should work the future audit process to include the company Y into the  ISMS scope, taking in account that company Y has their own governance, and their own departments as HR, IT, Financial etc.

0 0

Assign topic to the user


Step-by-step implementation for smaller companies.


Step-by-step implementation for smaller companies.

Rhand Leal Apr 26, 2023

Company Y can be included in the scope of company X. You can think that as an addition in the company X ISMS scope, and for that company X needs performing all sequential steps after a scope update with some adjustments:

  1. reviewing ISMS basic framework (e.g., scope, objectives, organizational structure), considering the organizational context of both companies and requirements of interested parties;
  2. review of risk assessment and treatment methodologies, to see which elements can be handled together and which ones need to be kept separate;
  3. review the risk assessment and define the updated risk treatment plan;
  4. adjustment of implemented controls when necessary (e.g., policies and procedures documentation, acquisitions, etc.), as well as the implementation of new controls required due to the new context;
  5. people training and awareness;
  6. controls operation;
  7. performance monitoring and measurement;
  8. perform an internal audit.
  9. perform management critical review; and
  10.  address nonconformities, corrective actions, and opportunities for improvement.

These articles will provide you with additional information:

Regarding how to audit this new scope, you may have these options:

  • perform a single audit covering both companies
  • perform separate audits for each company
  • perform separate audits covering similar areas in both companies (e.g., one audit covering HR of both companies X and Y) and audits related to specificities of each company (e.g., one audit for R&D of company X and one audit for R&D of company Y)

Examples of criteria you can use to decide how to define the audits are the complexity of execution, availability of auditors, size of organizations, and number of employees.

For further information, see:

0 0

Comment as guest or Sign in

HTML tags are not allowed

Apr 25, 2023

Apr 26, 2023