866.254.0000
Contact Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
SOC 1 / SSAE 18 Examination
SOC 2 Examination
SOC 3 Examination
SOC for Supply Chain
SOC for Cybersecurity
SOC Essentials for Early-Stage Companies
C5 Attestation
CSA STAR Programs
Payment Card Assessments
Payment Card Assessments
PCI DSS Validation
PCI SSF
PCI P2PE Validation
PCI PIN Assessments
PCI 3DS Compliance
ISO Certifications
ISO Certifications
ISO 27001
ISO 42001
ISO 27701
ISO 9001
ISO 22301
ISO-20000-1
Privacy Assessments
Privacy Assessments
APEC Certification
GDPR Assessment
International Privacy Assessments
US State Privacy Assessments
Microsoft SSPA/DPR Assessment
Privacy Program Assessment
FERPA Assessment
EU Cloud Code of Conduct
Federal Assessments
Federal Assessments
FedRAMP®
CMMC / NIST SP 800-171
FISMA/NIST
ITAR
CJIS
IRAP
FTC Consent Decrees
DoD IL6
Healthcare Assessments
Healthcare Assessments
HITRUST Certification
HIPAA Compliance
HIPAA Express
EPCS-DEA Audits
Health Data Host (HDS) Certification
Penetration Testing
Penetration Testing
Application
Network
Mobile
Red Teaming
Social Engineering
Cloud
Physical
Hardware and IoT
Advanced Series
AI Red Teaming
Cybersecurity Assessments
Cybersecurity Assessments
Cloud Configuration Assessments
Ransomware Assessments
NIST Cybersecurity Framework Assessments
Schellman Software Security Assessment (S3A)
TISAX®
SWIFT Customer Security Programme
Internal Audit Co-Sourcing
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
Learning Center
Our Technology
About Us
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships
ISO Certificate Directory
Contact Us

«  View All Posts

How to Navigate Your SOC and ISO Compliance Post-Merger or Acquisition Blog Feature
Lauren Edmonds

By: Lauren Edmonds

Print/Save as PDF

How to Navigate Your SOC and ISO Compliance Post-Merger or Acquisition

Compliance and Certification | ISO Certifications | SOC Examinations

Published: May 7, 2025

Organizations complete mergers and acquisitions (M&A) all the time, be it for growth and expansion, to further synergize or diversify, or for other incentives. And as varied as your reason(s) may be for your latest realignment, there is one consistent impact M&A has no matter the driver—the effect on your ongoing compliance cycles. As such, you need to have a plan to properly adjust, especially since there are different paths you can take when accommodating such an organizational shift. 

As long-time compliance assessors and cybersecurity experts, we know that these complications—amidst everything else you have going on with M&A on top of normal business operations—can seem daunting. So, let us simplify it for you by giving you a place to start and some insight. 

In this blog post, we’ll take a look at your options regarding two of the most common security and compliance audits and certifications—we’ll provide the pros and cons to separate SOC 2 reports/ISO certifications and consolidated ones so that as you make business decisions moving forward, you will have a foundation for how to adjust your compliance initiatives as necessary. 

Options for How to Adjust Your SOC 2 Reporting After a Merger or Acquisition  

If you’re currently in the midst of a SOC 2 reporting cycle and are also making an acquisition, here are your two options for dealing with the new business in your SOC 2 examination. 

1. Perform Separate Audits/Reports  

Of course, the most obvious path is to just perform a separate audit—one for your established, scoped services/products, and then add another to assess those you’ve acquired, which means you end up with separate reports by product or service. 

Two reports may seem less than ideal, but you should note that it may be possible to consolidate certain entity-level controls—meaning that if your established report and that of your acquisition share them, they can be tested once but reused in those separate reports. You could even choose to carve those out within a central/enterprise SOC 2 report instead, but here are some more pros (and cons) of investing in another SOC report for your acquisition: 

Pros

Cons
  • Easier distribution to relevant customers for their review
  • Less risk of an exception impacting multiple products or services
  • The cost of an additional report
  • The audit impact on your internal team(s) may be greater for separate assessments (depending on scope, timelines, process structure, etc.)

2. Consolidate Your Acquired Business into Your Existing SOC Report

On the other hand, you could instead perform a single consolidated audit and generate a consolidated SOC report—one that encompasses your established scope and that of your new business.  

Here are the advantages and disadvantages of this route: 

Pros 

Cons 
  • Reduced audit fees
  • Reduced audit burden/impact on internal teams
  • Increased ability to bring on new products with less impact per addition (i.e., new products and services could be “on-boarded” in a more seamless manner)
  • May require additional detail to avoid customer confusion regarding systems and test results
  • Risk of an exception being visible to customers who are not actually impacted by that finding (different systems, different samples, etc.)

Should You Perform a Separate SOC 2 Examination for Your Acquired Business or Consolidate?  

So then, how should you approach your SOC 2 reporting post-merger? 

Separate SOC 2 reports would better suit organizations that: 

  • Serve different customer bases  
  • Have SOC 2 review periods that are unalterable 
  • Would need to scope different Trust Services Categories (TSCs) due to the varying relevance of TSCs to the separate systems, controls and processes 
  • Have different customer commitments regarding the SOC 2 TSCs 

Whereas taking a consolidated approach would make sense for those organizations that have: 

  • Overlapping or similar customer bases 
  • Consolidated entity level controls (e.g., consolidated onboarding, offboarding, and performance evaluation processes, consolidated/global policies, consolidated risk assessment programs)  
  • Consolidated people and processes (e.g., consolidated HR and/or compliance teams, a unified control set).  Even if infrastructure and systems differ, use of a single control set can allow for a consolidated report and samples to be used to test the differing systems or teams. 

Options for How to Adjust Your ISO Certification After a Merger/Acquisition 

Maybe you’ve invested in SOC 2 and an ISO certification, or maybe you’ve only opted for the latter. Whatever the case, here’s a deeper look at separate certifications or consolidation post-merger. 

1. Achieve Separate ISO Certifications

As with the SOC 2 reports, you can perform separate certification audits—one for your established services/products and one for the new ones under your organizational umbrella so that you end up with separate reports and certificates by product or service. 

Here are the pros and cons of separate ISO certifications: 

Pros

Cons
  • Allows for you to make a slower transition to eventually consolidate your management systems (and ISO certifications)
  • Allows entities that remain legally separate to maintain separate management systems and ISO certificates
  • The cost of an additional certification
  • Audit impact is increased on both the assessment side as well as maintaining separate management systems and programs
  • You can expect those internal costs to nearly double

2. Consolidate Your Acquired Business into Your Existing ISO Certification

Alternatively, you may want to perform a single, consolidated audit and generate a consolidated report and certificate, and here are the advantages and disadvantages of such a choice: 

Pros

Cons
  • Reduced audit fees
  • Reduced audit burden / impact on internal teams
  • Increased ability to bring on new products with less impact per addition (i.e., new products and services could be “on-boarded” in a more seamless manner)
  • Requires additional effort before the certification review to expand the scope of the most mature management system to incorporate the additional products, services, organization(s) post-M&A activity

Should You Perform a Separate ISO Certification for Your Acquired Business or Consolidate?  

So again, which direction should your organization go? 

Keeping your ISO certifications separate would make the most sense if: 

  • Both you and the entity you’re acquiring or merging with maintained your own ISO certifications prior to the M&A event 
  • Customers dictate separate certifications 
  • Both you and the entity you’re acquiring will remain separate legal entities for some period of time following the M&A event 

However, you could choose to consolidate your ISO certifications and stand to benefit if you’re well-resourced and as such, are already prepared to merge management systems (i.e., you have a single mature management system in place that can be expanded to include the new products, services, entity, etc.).   

If your organization decides to consolidate management systems and ultimately produce a single ISO certificate, you should review both management systems to determine which system is most mature (this is not just based on the original issuance date, but the program overall), the certificate review cycles and timing of the programs, and which program is best suited for expansion.  Scope expansion reviews can be used during surveillance or recertification cycles or can be performed off-cycle to expand the certificate that is determined by management to be the most mature and the best suited for expansion to incorporate the larger consolidated scope.  You should work with your ISO certification body (or bodies) to help roadmap the solution that is best for your organization.  

Moving Forward with Harmonious M&A and Compliance 

When it comes to SOC 2 examinations and ISO certifications and the impact of a new acquisition, the pros and cons of adjusting your compliance to add separate reports or consolidate them are incredibly similar. But, as we’ve noted, there are key indicators that could help you decide which way to go as you move forward with expanding your business and maintaining compliance, whether it’s with SOC 2 criteria or an ISO framework. 

You should also take care to consider the security risks that you open yourself up to when merging and acquiring, and if you’re interested in learning more about how you can mitigate those—or how we can help you with your existing SOC 2 reports and ISO certifications—contact us today. 

About Lauren Edmonds

Lauren Edmonds is a Managing Director at Schellman based in Denver, Colorado. With more than 20 years of audit and compliance experience, Lauren has participated in more than 2,000 assessments including SOC 1, SOC 2, SOC 3, WebTrust, PCI DSS, FedRAMP, IRAP, NIST, HIPAA, ISO certification reviews and general attestation projects evaluating and assessing global corporations’ IT control environments and business processes. In addition, she has internal audit experience in network security, risk assessment, IT general controls, and systems development. Through the various audits performed, Lauren has evaluated risks and controls for a number of industries and organizations including financial services, manufacturing, marketing, distribution, and service-based organizations, such as telecommunications providers, data center, managed, and security service providers. Lauren is a PCI QSA and maintains the CISSP, CISA, and CCSK certifications. Additionally, Lauren is trained as a lead auditor for ISO 27001 (27017, 27018, 27701), ISO 9001, ISO 20000-1 and ISO 22301 Standards.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Read delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.