For a sister company that has decided to implement the ISO certified ISMS instead of theirs - Is it enough to identify gaps between 2 ISMS's and receive approval from top management that both companies are following the one ISMS - as long as any gaps are indentified should any new policies be required (depending on regulatory requirements) will this be sufficient?
Assign topic to the user
Please note that, unless the companies are identical, one company cannot simply copy and paste the ISMS from another company, so your proposed approach (approval from top management and treatment of gaps) is not sufficient.
You need to perform all the implementation steps (most importantly the risk assessment), to determine which kind of specific security is needed for the company’s unique circumstances. The similarities may help speed up and simplify the process, but you need to follow the implementation steps to ensure you have an ISMS fit for purpose for this specific company.
For further information, see:
- ISO 27001 implementation steps https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
Comment as guest or Sign in
Dec 30, 2022