Company X is ISO 27001 certified and ISMS is in place. If company X acquired another company Y which is also ISO27001 certified with its own ISMS. So where to start the merging of 2 ISMS into 1 and what could be the challenges with this task?
You should treat this merge as an implementation project with some adjustments: 1) reviewing ISMS basic framework (e.g., scope, objectives, organizational structure), considering the merged organizational context and requirements of interested parties; 2) review of risk assessment and treatment methodologies, to see which elements can be merged and which ones need to be kept separate; 3) review the risk assessment and define the updated risk treatment plan; 4) adjustment of implemented controls when necessary (e.g., policies and procedures documentation, acquisitions, etc.), as well as the implementation of new controls required due to the new merged context; 5) people training and awareness; 6) controls operation; 7) performance monitoring and measurement; 8) perform internal audit; 9) perform management critical review; and 10) address nonconformities, corrective actions, and opportunities for improvement.
Regarding challenges, some of them may be:
Lack of management support: without this support, you won't have the minimal resources and engagement to implement a proper merging. Not using a project management approach: such implementation involves coordinating several people to perform dozens of activities, and without a methodology, you will finish inside a huge mess with no security at all. Lack of time for the merging project: The project can be very important, but normally, there are a lot of urgent things happening that postpone the project. ISMS scope wrongly defined: not protecting information that really matters considering the merged context. Documentation: Procedures in excess or lack of details may compromise operations. These articles will provide you additional information: - Three strategies for ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/#options - ISO 27001 implementation steps https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/