That
depends on the nature and scale of the change Relatively small
changes to the ISMS are expected to occur as it
naturally evolves in line with changing business needs for information security
, for example through the action of various internal
reviews triggering corrective and preventive actions:
these should have no effect on your certification status since they are an
anticipated and normal part of any ISMS. Larger scale business or
organizational changes may involve significant changes to the scope of the
ISMS, for example other parts of the business being integrated with the ISMS, mergers/acquisitions
or downscaling/divestments: these may besubstantial enough to invalidate
your original certificate without at least a surveillance visit from your
certification auditors, but it's impossible to give hard-and-fast rules.
Whether your ISMS changes are deemed substantial enough to invalidate your
certificate, or to warrant recertification, depends on several factors such as:
·
The
scale or size of the change/s;
·
The
nature or type of change/s;
· The likely impact of business and organizational changes on your ISMSand/or information risks and
hence risk treatments required;
· How long it has been since your last certification or surveillanceaudit, and how long before the next
one; and
·
The
certification body's policies and practices in this regard.
· Aside from the certification angle, you should definitely update your information asset andinformation risk/control registers and maybe your Statement of Applicability. You may need to update your security policies and perhaps restructure the team managing and running the ISMS, which may well imply the need for a new budget. Don’t forget to check your ISMS internal audit plans too, and if appropriate adapt your metrics to take account of the full ISMS.
User questions & answers