Showing results for 
Show  only  | Search instead for 
Did you mean: 
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Newcomer II

ISO 27001 controls re: engineering data bridges set up between companies

Hi All:
Does anyone have some guidance related to ISO 27001 risks and related controls/policies which become important to consider for a company going through an acquisition process? For example, if company A is being acquired by Company B (which is ISO 27001 compliant), and Company A and B have set up 'data exchange bridges' to exchange data during the acquisition process...what controls (specific to ISO 27001) come into play? what would a audit plan/communication plan for such a control set look like?

1 Reply
Newcomer I

@Midude2000 - without knowing the specifics of your situation and the scope
of your ISMS, it would be difficult to offer more, but given the example
you gave about data exchange, here are some things that might come into
play from an ISO 27001 perspective:

- *Information Classification Policy*: this would typically outline the
various classifications you have in place for your data. In this case,
company B (the ISO 27001-certified company) would normally have specific
classification levels in place to distinguish the different types of data
and how to protect each group. This would be important to consider in the
exchange of data, because company B would need to ensure that the exchange
process is in line with their policies around handling and protection of
each type of data, depending on how it's classified. Some examples of
classifications are "sensitive/regulated," "restricted," "confidential,"
and "public."

- *Information Labeling Policy*: this would typically set forth
requirements around how information is labeled in order to provide a visual
cue/reminder to people about the sensitivity of that information. I would
expect company B to have this kind of policy in place.

- *Information Transfer Policy*: this policy would typically outline
general requirements around how information must/mustn't be transferred
that apply to all information. Additionally, it would also normally include
specific requirements for which transfer modes (email, text, IM, phone,
fax, etc.) can/cannot be used for transferring different classes of data,
and how data must be protected depending on the mode that is being used for
the transfer (e.g. encryption).

Those are just a few that come to mind, but depending on the specifics of
your situation, there may be a few other policies from company B's ISMS
that may come into play.

Hope this is somewhat helpful.