As always your input is appreciated, and I hope as a result of my questions, and them being answered many can benefit too by when they visit Advisera.
As a company we have recently acquired a business, we are currently ISO 27001 certified they are not. We are bringing their IT asset, infrastructure under our control. IN-terms compliance wise from ISO 27001 perspective are there things we should be doing/checking to remain compliant for the ISO 27001 certification? and standard.
To ensure your organization keeps compliant with ISO 27001 in this merging you should treat this merge as an implementation project with some adjustments: 1) reviewing ISMS basic framework (e.g., scope, objectives, organizational structure), considering the merged organizational context and requirements of interested parties; 2) review of risk assessment and treatment methodologies, to see which elements can be merged and which ones need to be kept separate; 3) review the risk assessment and define the updated risk treatment plan; 4) adjustment of implemented controls when necessary (e.g., policies and procedures documentation, acquisitions, etc.), as well as the implementation of new controls required due to the new merged context; 5) people training and awareness; 6) controls operation; 7) performance monitoring and measurement; 8) perform internal audit; 9) perform management critical review; and 10) address nonconformities, corrective actions, and opportunities for improvement.
These articles will provide you with additional information: