Managing Your Compliance Controls Activities Throughout M&A

Managing Compliance Throughout M&A

How can you ensure that your security and compliance controls will continue to operate effectively during mergers and acquisitions? Here are a few tips to aid you in what to expect and ways to manage your changing environment!

Design and Own Your SOC 2 Controls

Mergers and acquisitions (M&A) are exciting events for organizations of all sizes and maturity levels. They bring with them new team members, new opportunities, or just new capital.

I frequently encounter these as a large number of clients I work with are in the high-tech startup community. They are founded and operate with the singular goal of ultimately becoming acquired.

If you have been through M&A before,you know this process can feel like a whirlwind.

If you haven’t, know that there are dozens of workstreams happening in parallel across all business units and teams. Between all the planning and due diligence activities, team integrations, and personnel churn, it can be easy to overlook the operating effectiveness of your security and compliance controls.

Failure to guarantee the smooth transition of your Single Framework Strategy through this time can have a large impact on the success of your organization.

In addition to serving as the baseline for a mature security program, the operational effectiveness of your security and compliance controls can be directly tied to your future sales enablement strategy. Failure to ensure their continued operation may impact your ability to achieve your required certifications and third-party assessments (ISO 27001, PCI DSS, SOC 2, etc.).

This may prevent new sales and even jeopardize existing contracts.

Now that you know the impact failing to ensure continuity of controls can have, here are a few tips on how you can reduce the risk of this occurring in your organization:

Note: You must conduct all the following activities in preparation for any M&A as part of the planning stage. Waiting until after the M&A may result in the previously mentioned lapse of control operation.

Scope of Change

When determining how to effectively update your controls it’s first critical to ensure you have a good understanding of the scope of change. This means having a clear picture of what the final state of the M&A activity looks like and who the responsible owners will be.

This could be the acquisition of a single product, an entire business unit, or even the whole organization. Knowing who will be responsible for the environments reliant on your controls is vital as these changes will often time lead to changes in the infrastructure.

For example, you may have to migrate your application from a particular cloud service provider (CSP) to another that the organization has existing relations with.

You may have to move from Google Workspace to legacy Microsoft Active Directory environments, or even migrate your users to a new IAM provider. Each of these changes requires updates to your Single Framework Strategy as they will present new challenges, opportunities, and at the very least new terminology that must be included in your controls.

Identify That Which Needs Updating

Once you have identified the scope of change that will be impacted, you then need to identify what controls need to be updated. This process can be intuitive if your team is well versed in the operations of your security and compliance program and you have ensured regular updates and reviews of your Single Framework Strategy.

The areas  which need to be updated most frequently include but are not limited to:

  • Teams – Often, controls will call out a specific team or function as being responsible for addressing a control. An example would be pointing to an internal Security & Incident Response Team for responding to all security incidents. However, this team or role may not exist in the new environment.
  • Specific Technology/Solutions – Controls mandating the use of specific tools and technology for the success of the control need to be evaluated. For example, a control may dictate that all remote users leverage a Cisco VPN, but the new environment will mandate Perimeter 81.
  • Frequency – Many controls dictate the frequency at which they occur. Any control dictating a frequency should be validated with the new environment to determine if it needs to be updated. For example, vulnerability scans may have been running weekly on your environment but will only be completed quarterly moving forward.
  • Scope – The scope of the individual controls themselves may change, either widening or narrowing.

Generate and Execute Migration Plans

Once you have identified all controls which require updating, you should ensure appropriate migration plans are developed where appropriate, including identifying any new control owners.

A great example of this is the identification and transition of security and compliance governance activities. If your Single Framework Strategy leverages a committee or group (such as an Information Risk Council) for its successful operation, but no such body exists in the new environment, steps should be taken to either charter a new team or spread the responsibilities to various owners.

These plans should be documented and agreed upon by members. Your transition plan should be managed following your change management program, leveraging SMART goals that have been assigned to a specific individual for accountability.


To ensure that the newly created controls are effectively scoped, implemented, and operating effectively you should assess them all as part of your internal audit activities.

If you either don’t have an established internal audit process or your internal audit is scheduled far in the future, I’d highly recommend that you do not wait. As the controls (and likely their owners) are new, you need to be sure of their operating effectiveness.

This will minimize the risk of exceptions during your next external audit or assessment.

In addition to validating the newly created controls internally, you should discuss with your external audit firm to ensure your test procedures and design of controls meet their specific requirements.


While M&A is a fun and exciting time, it’s also very busy.

It’s a particularly busy time for those tasked with managing the security and compliance program within the organization. Those individuals should validate and update any impacted controls to ensure the continued success and security of the organization.

If you have questions about managing your Single Framework Strategy, you should contact our vCISO experts to guide you through the process and help tie the implementation into your various compliance requirements.

Share to


Share to

Like our content? Subscribe and stay informed.