diff --git a/app/controllers/merge_controller.rb b/app/controllers/merge_controller.rb
index 5a3f041a2..7d232f4c1 100644
--- a/app/controllers/merge_controller.rb
+++ b/app/controllers/merge_controller.rb
@@ -1,5 +1,6 @@
 class MergeController < ApplicationController
   before_action :authenticate_user!
+  before_action :authenticate_scope!
 
   def show
     render form.view_path
@@ -32,11 +33,17 @@ private
 
   def form_params
     merge_params = params.fetch(:merge, {}).permit(:merging_organisations)
-    if merge_params[:merging_organisations].blank?
-      merge_params[:merging_organisations] = [params[:id]]
-    else
-      merge_params[:merging_organisations] = merge_params[:merging_organisations].split(" ") << params[:merge][:merging_organisation]
-    end
+    merge_params[:merging_organisations] = if merge_params[:merging_organisations].blank?
+                                             [params[:id]]
+                                           else
+                                             merge_params[:merging_organisations].split(" ") << params[:merge][:merging_organisation]
+                                           end
     merge_params
   end
+
+  def authenticate_scope!
+    if current_user.organisation != Organisation.find(params[:id]) && !current_user.support?
+      render_not_found
+    end
+  end
 end
diff --git a/spec/requests/organisations_controller_spec.rb b/spec/requests/organisations_controller_spec.rb
index 459987fdc..0eef27740 100644
--- a/spec/requests/organisations_controller_spec.rb
+++ b/spec/requests/organisations_controller_spec.rb
@@ -230,7 +230,7 @@ RSpec.describe OrganisationsController, type: :request do
 
           it "displays a link to merge organisations" do
             expect(page).to have_content("Is your organisation merging with another?")
-            expect(page).to have_link("Let us know using this form", href: "/organisations/#{organisation.id}/merge")
+            expect(page).to have_link("Let us know using this form", href: "/organisations/#{organisation.id}/merge/start")
           end
         end
 
@@ -444,7 +444,7 @@ RSpec.describe OrganisationsController, type: :request do
       describe "#merge" do
         context "with an organisation that the user belongs to" do
           before do
-            get "/organisations/#{organisation.id}/merge", headers:, params: {}
+            get "/organisations/#{organisation.id}/merge/start", headers:, params: {}
           end
 
           it "shows the correct content" do
@@ -455,14 +455,14 @@ RSpec.describe OrganisationsController, type: :request do
             expect(page).to have_link("Back", href: "/organisations/#{organisation.id}")
           end
 
-          it "has a correct start no button" do
-            expect(page).to have_link("Start now", href: "#")
+          it "has a correct start now button" do
+            expect(page).to have_link("Start now", href: "/organisations/#{organisation.id}/merge/organisations")
           end
         end
 
         context "with organisation that are not in scope for the user, i.e. that they do not belong to" do
           before do
-            get "/organisations/#{unauthorised_organisation.id}/merge", headers:, params: {}
+            get "/organisations/#{unauthorised_organisation.id}/merge/start", headers:, params: {}
           end
 
           it "returns not found 404 from org details route" do