54% of security breaches in LATAM originate in the supply chain. We conduct second-party audits of critical suppliers assessing security controls, anti-corruption, continuity, and regulatory compliance.
The organization depends on suppliers that process sensitive data, operate critical infrastructure, or act as intermediaries in regulated markets, but lacks a formal third-party risk assessment process. Contracts include generic confidentiality clauses that are never verified. There is no visibility into the security, continuity, or anti-corruption controls suppliers implement.
An incident at a critical supplier directly impacts the organization: client data exfiltration, service interruption, exposure to sanctions for third-party corruption acts (Law 27,401 in Argentina). Regulators hold the organization responsible for supplier actions when there is no documented due diligence. Loss of a supplier without a contingency plan can paralyze operations for weeks.
We design and execute the supplier due diligence program in three tiers: (1) ISO self-assessment questionnaire for low-risk suppliers, (2) remote document audit for medium-risk suppliers, and (3) on-site second-party audit for critical suppliers. We assess against ISO 27001 (security), ISO 37001 (anti-corruption), and ISO 22301 (continuity) controls based on each supplier's risk profile. The deliverable includes each supplier's scoring, critical findings, and contractual recommendations.
Suppliers that process the organization's personal or confidential data, those operating critical technology infrastructure (hosting, ERP, payment processing), those acting as intermediaries in regulated markets, and those whose disruption would paralyze business operations. We apply a criticality matrix based on impact (operational, regulatory, reputational) and level of access to the organization's assets.
We assess the supplier's anti-bribery controls per ISO 37001: anti-bribery policy, due diligence of their own third parties, gifts and hospitality registry, whistleblowing channel, and staff training. In high-risk jurisdictions per Transparency International's Corruption Perception Index, we apply enhanced procedures including beneficial ownership verification and politically exposed persons screening.
No. The second-party audit evaluates the supplier from the perspective of the specific risks it generates for your organization, it does not certify the supplier. A supplier may hold ISO 27001 certification and still present relevant risks to its client if the certified controls do not cover the scope of the contracted service. Our audit verifies the actual applicability of controls to the context of the business relationship.
Assessment within 72 business hours. ISO methodology. No ties to certification bodies.
Request diagnosis