This week, a ransomware attack stole 8 TB of data from a technology services company. This is not an isolated incident: ransomware now represents 38% of threats in Latin America, with Brazil, Mexico, and Argentina leading the list of most-attacked countries.
The repeating pattern
In 15 years auditing management systems across LATAM, the pattern is consistent. Organizations have continuity documentation but don't operate it under real pressure:
- Untested continuity plan: It exists on paper, but the last drill was 2 years ago.
- Outdated access controls: Privileges haven't been reviewed in 18 months. Former employee accounts remain active.
- SOC without playbook: The operations center monitors alerts but has no tested procedure for ransomware specifically.
Concerning data
Based on our assessments of 140+ organizations in LATAM:
- 82% of financial organizations lack a cyber-resilience program integrating ISO 22301 with ISO 27001.
- 67% of major non-conformities stem from documentation that exists but doesn't operate.
- Less than 1% of organizations have a C-level CISO reporting directly to the board.
The certificate doesn't stop the attack
An ISO 27001 certificate on the wall doesn't stop ransomware. What stops it are tested operational controls: immutable backups verified monthly, network segmentation isolating critical assets, and a team that knows exactly what to do in the first 4 hours of an incident.
What your organization should do
If your ransomware response plan hasn't been tested in the last 6 months, the question isn't if it will happen — it's when. Three immediate actions:
- Simulate an attack: Run a ransomware tabletop exercise with IT and senior leadership.
- Audit access controls: Review privileges, remove inactive accounts, implement MFA on all critical access.
- Assess gaps against ISO 27001: A 72-hour gap assessment shows you exactly where you stand.