ISMS

(The IT mission of a company is managed (development, operations, support) by a third party, for which this operation means 90% of its business. The decision has been taken to acquire that company, which is certified ISO 27001. The main company has its own ISMS, but with different criteria, methodologies, procedures. It is necessary to "keep" the current certificate. What could be the alternatives to adopt / adjust / integrate the ISMS? Which may require less effort? Which could be less ris ky (lose the certificate)?)

Answer:

First it is important to note that if both, the main organization and the acquired organization are ISO 27001 certified, then in the first moment the best strategy is to keep both certificates (i.e., work with two separated scopes), not to affect your current operation during transition period.

Considering a second moment, the solution which requires the less effort regarding risk management is for you to identify how risks from one methodology can be translated to the other, so you can have comparable results. For example, if for methodology 1 the risks are valued from 1 to 3 and for methodology 2 they are valuated from 1 to 5, the risks identified by methodology 1 must be divided by 0.6 (3/5) to be compared to risks identified by methodology 2. For the reverse path the risks identified by methodology 2 must be multiplied by 0.6 (3/5) to be compared to risks identified by methodology 1.

This way you do not need to change anything on existent frameworks, but the trade-off is that you will have more administrative effort to keep managing two different risk methodologies. You can adopt this alternative until you define a single approach for all risks (i.e., methodology and criteria).

As for procedures, at a first moment you can keep all procedure and define a schedule to evaluate similar procedures and how to integrate them.

You also should consult with your certification body(s) about how to integrate the ISMS from the certification perspective.