Exam CISM topic 1 question 57 discussion

For acquiring another company you need to determine how much you’re willing to spend on it. The Information Security Manager can deliver his/her part for this by determining the cost for aligning the IS part. In order to come to the costs a GAP analysis needs to be done and costs for each action needs to be determined. Policies are vague and not complete / detailed enough.

When acquiring another company, understanding and assessing the security policies and practices of the acquired entity (Company B, in this case) is crucial. This ensures that the integration process takes into account any differences in security policies, controls, and practices between the two organizations. Harmonizing security policies and aligning security controls across both entities is essential for maintaining a consistent and effective security posture. While factors such as the cost to align with Company A's security policies (option A), the organizational structure of Company B (option B), and Company A's security architecture (option D) are important considerations, understanding and addressing the security policies of the acquired company is a key priority during the integration process.

C. The security policies of Company B will provide critical insights into their security practices, compliance requirements, and potential gaps that need to be addressed during the integration process.

C. Company B's security policies

Acquiring a new company can introduce significant security risks for an organization, particularly if the acquired company has different security policies, procedures, and standards than the acquiring organization. Therefore, it is essential for the information security manager of Company A to thoroughly assess and evaluate the security posture of Company B before the acquisition is completed.