SPRING DISCOUNT
Get 30% off on toolkits, course exams, and books.
Limited-time offer – ends May 26, 2022
Use promo code:
SPRING30

Expert Advice Community

Guest

Merging ISMSs

  Quote
Guest
Guest user Created:   Mar 31, 2022 Last commented:   Mar 31, 2022

Merging ISMSs

Company X is ISO 27001 certified and ISMS is in place. If company X acquired another company Y which is also ISO27001 certified with its own ISMS. So where to start the merging of 2 ISMS into 1 and what could be the challenges with this task?
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Mar 31, 2022

You should treat this merge as an implementation project with some adjustments:
1) reviewing ISMS basic framework (e.g., scope, objectives, organizational structure), considering the merged organizational context and requirements of interested parties;
2) review of risk assessment and treatment methodologies, to see which elements can be merged and which ones need to be kept separate;
3) review the risk assessment and define the updated risk treatment plan;
4) adjustment of implemented controls when necessary (e.g., policies and procedures documentation, acquisitions, etc.), as well as the implementation of new controls required due to the new merged context;
5) people training and awareness;
6) controls operation;
7) performance monitoring and measurement;
8) perform internal audit;
9) perform management critical review; and
10) address nonconformities, corrective actions, and opportunities for improvement.  

Regarding challenges, some of them may be:

Lack of management support: without this support, you won't have the minimal resources and engagement to implement a proper merging.
Not using a project management approach: such implementation involves coordinating several people to perform dozens of activities, and without a methodology, you will finish inside a huge mess with no security at all.
Lack of time for the merging project: The project can be very important, but normally, there are a lot of urgent things happening that postpone the project.
ISMS scope wrongly defined: not protecting information that really matters considering the merged context.
Documentation: Procedures in excess or lack of details may compromise operations.
These articles will provide you additional information:
- Three strategies for ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/#options 
- ISO 27001 implementation steps https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Mar 31, 2022

Mar 31, 2022