Company Y can be included in the scope of company X. You can think that as an addition in the company X ISMS scope, and for that company X needs performing all sequential steps after a scope update with some adjustments:
- reviewing ISMS basic framework (e.g., scope, objectives, organizational structure), considering the organizational context of both companies and requirements of interested parties;
- review of risk assessment and treatment methodologies, to see which elements can be handled together and which ones need to be kept separate;
- review the risk assessment and define the updated risk treatment plan;
- adjustment of implemented controls when necessary (e.g., policies and procedures documentation, acquisitions, etc.), as well as the implementation of new controls required due to the new context;
- people training and awareness;
- controls operation;
- performance monitoring and measurement;
- perform an internal audit.
- perform management critical review; and
- address nonconformities, corrective actions, and opportunities for improvement.
These articles will provide you with additional information:
Regarding how to audit this new scope, you may have these options:
- perform a single audit covering both companies
- perform separate audits for each company
- perform separate audits covering similar areas in both companies (e.g., one audit covering HR of both companies X and Y) and audits related to specificities of each company (e.g., one audit for R&D of company X and one audit for R&D of company Y)
Examples of criteria you can use to decide how to define the audits are the complexity of execution, availability of auditors, size of organizations, and number of employees.
For further information, see: