https://community.isc2.org/t5/Governance-Risk-Compliance/ISO-27001-controls-re-engineering-data-bridges-set-up-between/m-p/45700#M389 <a href="https://community.isc2.org/t5/user/viewprofilepage/user-id/985787817">@Midude2000</a> - without knowing the specifics of your situation and the scope<BR />of your ISMS, it would be difficult to offer more, but given the example<BR />you gave about data exchange, here are some things that might come into<BR />play from an ISO 27001 perspective:<BR /><BR />- *Information Classification Policy*: this would typically outline the<BR />various classifications you have in place for your data. In this case,<BR />company B (the ISO 27001-certified company) would normally have specific<BR />classification levels in place to distinguish the different types of data<BR />and how to protect each group. This would be important to consider in the<BR />exchange of data, because company B would need to ensure that the exchange<BR />process is in line with their policies around handling and protection of<BR />each type of data, depending on how it's classified. Some examples of<BR />classifications are "sensitive/regulated," "restricted," "confidential,"<BR />and "public."<BR /><BR />- *Information Labeling Policy*: this would typically set forth<BR />requirements around how information is labeled in order to provide a visual<BR />cue/reminder to people about the sensitivity of that information. I would<BR />expect company B to have this kind of policy in place.<BR /><BR />- *Information Transfer Policy*: this policy would typically outline<BR />general requirements around how information must/mustn't be transferred<BR />that apply to all information. Additionally, it would also normally include<BR />specific requirements for which transfer modes (email, text, IM, phone,<BR />fax, etc.) can/cannot be used for transferring different classes of data,<BR />and how data must be protected depending on the mode that is being used for<BR />the transfer (e.g. encryption).<BR /><BR />Those are just a few that come to mind, but depending on the specifics of<BR />your situation, there may be a few other policies from company B's ISMS<BR />that may come into play.<BR /><BR />Hope this is somewhat helpful. Thu, 27 May 2021 00:26:05 GMT joeadu 2021-05-27T00:26:05Z https://community.isc2.org/t5/Governance-Risk-Compliance/ISO-27001-controls-re-engineering-data-bridges-set-up-between/m-p/45641#M388 <P>Hi All:<BR />Does anyone have some guidance related to ISO 27001 risks and related controls/policies which become important to consider for a company going through an acquisition process? For example, if company A is being acquired by Company B (which is ISO 27001 compliant), and Company A and B have set up 'data exchange bridges' to exchange data during the acquisition process...what controls (specific to ISO 27001) come into play? what would a audit plan/communication plan for such a control set look like?</P> Mon, 24 May 2021 21:52:58 GMT https://community.isc2.org/t5/Governance-Risk-Compliance/ISO-27001-controls-re-engineering-data-bridges-set-up-between/m-p/45641#M388 Midude2000 2021-05-24T21:52:58Z https://community.isc2.org/t5/Governance-Risk-Compliance/ISO-27001-controls-re-engineering-data-bridges-set-up-between/m-p/45700#M389 <a href="https://community.isc2.org/t5/user/viewprofilepage/user-id/985787817">@Midude2000</a> - without knowing the specifics of your situation and the scope<BR />of your ISMS, it would be difficult to offer more, but given the example<BR />you gave about data exchange, here are some things that might come into<BR />play from an ISO 27001 perspective:<BR /><BR />- *Information Classification Policy*: this would typically outline the<BR />various classifications you have in place for your data. In this case,<BR />company B (the ISO 27001-certified company) would normally have specific<BR />classification levels in place to distinguish the different types of data<BR />and how to protect each group. This would be important to consider in the<BR />exchange of data, because company B would need to ensure that the exchange<BR />process is in line with their policies around handling and protection of<BR />each type of data, depending on how it's classified. Some examples of<BR />classifications are "sensitive/regulated," "restricted," "confidential,"<BR />and "public."<BR /><BR />- *Information Labeling Policy*: this would typically set forth<BR />requirements around how information is labeled in order to provide a visual<BR />cue/reminder to people about the sensitivity of that information. I would<BR />expect company B to have this kind of policy in place.<BR /><BR />- *Information Transfer Policy*: this policy would typically outline<BR />general requirements around how information must/mustn't be transferred<BR />that apply to all information. Additionally, it would also normally include<BR />specific requirements for which transfer modes (email, text, IM, phone,<BR />fax, etc.) can/cannot be used for transferring different classes of data,<BR />and how data must be protected depending on the mode that is being used for<BR />the transfer (e.g. encryption).<BR /><BR />Those are just a few that come to mind, but depending on the specifics of<BR />your situation, there may be a few other policies from company B's ISMS<BR />that may come into play.<BR /><BR />Hope this is somewhat helpful. Thu, 27 May 2021 00:26:05 GMT https://community.isc2.org/t5/Governance-Risk-Compliance/ISO-27001-controls-re-engineering-data-bridges-set-up-between/m-p/45700#M389 joeadu 2021-05-27T00:26:05Z