This is a scenario.
Company A is currently ISMS certified – The scope: Security Operation Center (SOC); location at office A, using System A
Company A need to be re-certified by end of February.
Company B (not ISMS certified) bought over company A. Their merging exercise to be completed in March. They intend to relocate the SOC to location B, may be used new System B (later after the relocation). They want to maintain the ISMS certification of the SOC (previously company A). Appreciate your advise: What is their action plan in order to maintain the ISMS certification?
Company B also intend to extend the scope of ISMS – New Scope – Whole company? What they need to do? Thank you
Since the scope of the ISMS is changing, first the ISMS scope document needs to be updated. Once this is done, the best course of action is to contact the certification body and ask them if they can cover this changed scope at the next surveillance audit, or they would need to handle this new scope through a new certification audit.
The change in ISMS scope for this scenario is due to the change in location; Is that correct? What does usually will be the CB advise if there is change in scope? Is it surveillance audit or new certification audit? What is the crieteria? Another issue for this scenario is the ISMS certificate will be for different entity (a merging entity)