Assign topic to the user
You should treat this merge as an implementation project with some adjustments:
1) reviewing ISMS basic framework (e.g., scope, objectives, organizational structure), considering the merged organizational context and requirements of interested parties;
2) review of risk assessment and treatment methodologies, to see which elements can be merged and which ones need to be kept separate;
3) review the risk assessment and define the updated risk treatment plan;
4) adjustment of implemented controls when necessary (e.g., policies and procedures documentation, acquisitions, etc.), as well as the implementation of new controls required due to the new merged context;
5) people training and awareness;
6) controls operation;
7) performance monitoring and measurement;
8) perform internal audit;
9) perform management critical review; and
10) address nonconformities, corrective actions, and opportunities for improvement.
Regarding challenges, some of them may be:
Lack of management support: without this support, you won't have the minimal resources and engagement to implement a proper merging.
Not using a project management approach: such implementation involves coordinating several people to perform dozens of activities, and without a methodology, you will finish inside a huge mess with no security at all.
Lack of time for the merging project: The project can be very important, but normally, there are a lot of urgent things happening that postpone the project.
ISMS scope wrongly defined: not protecting information that really matters considering the merged context.
Documentation: Procedures in excess or lack of details may compromise operations.
These articles will provide you additional information:
- Three strategies for ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/#options
- ISO 27001 implementation steps https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
Comment as guest or Sign in
Mar 31, 2022