ISO 27001 controls re: engineering data bridges set up between companies
Hi All: Does anyone have some guidance related to ISO 27001 risks and related controls/policies which become important to consider for a company going through an acquisition process? For example, if company A is being acquired by Company B (which is ISO 27001 compliant), and Company A and B have set up 'data exchange bridges' to exchange data during the acquisition process...what controls (specific to ISO 27001) come into play? what would a audit plan/communication plan for such a control set look like?
Re: ISO 27001 controls re: engineering data bridges set up between companies
@Midude2000 - without knowing the specifics of your situation and the scope of your ISMS, it would be difficult to offer more, but given the example you gave about data exchange, here are some things that might come into play from an ISO 27001 perspective:
- *Information Classification Policy*: this would typically outline the various classifications you have in place for your data. In this case, company B (the ISO 27001-certified company) would normally have specific classification levels in place to distinguish the different types of data and how to protect each group. This would be important to consider in the exchange of data, because company B would need to ensure that the exchange process is in line with their policies around handling and protection of each type of data, depending on how it's classified. Some examples of classifications are "sensitive/regulated," "restricted," "confidential," and "public."
- *Information Labeling Policy*: this would typically set forth requirements around how information is labeled in order to provide a visual cue/reminder to people about the sensitivity of that information. I would expect company B to have this kind of policy in place.
- *Information Transfer Policy*: this policy would typically outline general requirements around how information must/mustn't be transferred that apply to all information. Additionally, it would also normally include specific requirements for which transfer modes (email, text, IM, phone, fax, etc.) can/cannot be used for transferring different classes of data, and how data must be protected depending on the mode that is being used for the transfer (e.g. encryption).
Those are just a few that come to mind, but depending on the specifics of your situation, there may be a few other policies from company B's ISMS that may come into play.