Technical answers about ISO standards, cybersecurity, AI governance and risk management.
ISO 42001 is the international standard for artificial intelligence management systems. It establishes requirements for governing the AI lifecycle in a traceable, auditable manner aligned with ethical principles.
Any organization that develops, deploys, or uses AI systems in its operations. This includes technology companies, financial institutions, public agencies, and any sector where AI affects decisions about people.
It depends on the complexity of AI systems and organizational maturity. An initial diagnostic can be completed in 5 to 15 business days. Organizations with multiple models in production require a broader scope.
A gap analysis against the standard requirements is applied, along with review of existing AI governance, impact assessment, and control mapping. The methodology conforms to ISO 19011 audit guidelines.
The client receives a diagnostic report with classified findings, a gap matrix, a prioritized roadmap, and control recommendations. Each finding includes objective evidence and normative reference.
ISO 42001 shares the high-level structure (Annex SL) with ISO 27001 and ISO 9001, facilitating integration. ISO 27001 information security controls complement ISO 42001 AI governance.
The most recurring findings include absence of AI system inventories, lack of documented impact assessments, unmonitored algorithmic bias, and absence of responsible AI usage policies.
It is recommended to prepare an inventory of all AI systems in use, document existing data policies, and designate an AI governance lead. A prior internal self-assessment facilitates the process.
According to a study of 180 executives across 12 countries, 64% increased their AI dependency for strategic decisions, 58% report signs of cognitive atrophy, and 71% exhibit automation bias by accepting AI recommendations without critical questioning.
Only 23% of evaluated boards have a formal AI governance committee or structure at board level. The remaining 77% delegate AI decisions exclusively to technical teams without strategic oversight.
ISO 27001 is the international standard for information security management systems (ISMS). It defines requirements for establishing, implementing, maintaining, and continually improving the protection of information assets.
Any organization managing sensitive information: technology companies, financial entities, healthcare providers, government agencies, and service providers handling third-party data.
A typical gap diagnostic requires 5 to 20 business days, depending on the organization size, number of information assets, and complexity of the technology infrastructure.
A gap analysis is performed against the 93 Annex A controls (2022 version), review of the statement of applicability, risk assessment, and documentary evidence verification per ISO 19011.
The client receives a findings report with non-conformity classification, evaluated controls matrix, residual risk analysis, and an action plan with suggested remediation timelines.
ISO 27001 integrates directly with ISO 27701 (privacy), ISO 22301 (continuity), and ISO 42001 (AI). It shares the Annex SL structure with ISO 9001, enabling multi-standard integrated audits.
Recurring findings include deficient access management, absence of asset classification, untested continuity plans, and lack of effectiveness metrics for implemented controls.
It is recommended to have an updated information asset inventory, a documented risk assessment, and a preliminary statement of applicability. Designating an ISMS manager is essential.
ISO 9001 is the international standard for quality management systems. It defines requirements to demonstrate the ability to consistently provide products and services that meet customer and applicable regulatory requirements.
Organizations of any size and sector seeking to systematize their quality processes. It is especially relevant for companies participating in international supply chains or tenders requiring accreditation.
Between 3 and 15 business days depending on the number of processes, sites, and personnel involved. Organizations with multi-site operations require more sampling time.
The process-based approach per ISO 19011 is applied: document review, process owner interviews, record verification, and evaluation of PDCA (Plan-Do-Check-Act) cycle effectiveness.
Audit report with findings classified by clause, evaluated process map, identified improvement opportunities, and a corrective action plan with defined priorities.
ISO 9001 is the foundation of integrated management systems. Its Annex SL structure allows combination with ISO 14001, ISO 45001, ISO 27001, and other management standards, optimizing audit resources.
Recurring findings include unmeasurable quality objectives, incomplete management review, non-conformity management without root cause analysis, and absence of customer satisfaction indicators.
Document the process map, define measurable quality objectives, ensure the quality policy is communicated, and verify that records exist for at least one complete operating cycle.
ISO 22301 is the international standard for business continuity management systems. It establishes requirements for planning, implementing, and maintaining an organization's ability to continue operating during disruptive incidents.
Organizations whose operational disruption generates critical impact: financial entities, essential service providers, global supply chains, data centers, and critical infrastructure operators.
Between 5 and 15 business days depending on the number of critical processes and the complexity of interdependencies between areas. Multi-site organizations require an expanded scope.
The business impact analysis (BIA), continuity risk assessment, documented continuity plans, and exercise and test results are evaluated. All in accordance with the ISO 19011 audit framework.
Continuity system gap report, BIA maturity assessment, review of recovery time objectives (RTO/RPO), and recommendations for the exercise program.
ISO 22301 complements ISO 27001 in the availability and resilience dimension. It articulates with ISO 31000 for risk management and ISO 27031 for ICT service recovery.
Frequent findings include outdated BIA, continuity plans not tested in the last 12 months, absence of defined RTO/RPO for critical processes, and lack of documented crisis communication.
Conduct an updated BIA, identify critical processes with their dependencies, document RTO and RPO per service, and execute at least one tabletop exercise prior to the assessment.
ISO 37001 is the international standard for anti-bribery management systems. It establishes requirements for preventing, detecting, and responding to bribery across all organizational activities and its value chain.
Public and private organizations operating in high bribery-risk sectors, companies with cross-border operations, government suppliers, and entities subject to anti-corruption legislation such as the FCPA or UK Bribery Act.
Between 5 and 20 business days, depending on the organizational structure, geographic presence, and complexity of relationships with third parties and public officials.
Anti-bribery due diligence, financial and non-financial controls, whistleblowing channels, staff training, and anti-corruption program effectiveness are evaluated per ISO 19011 guidelines.
Bribery risk assessment report, anti-bribery controls matrix, third-party due diligence review, and recommendations for strengthening the integrity program.
ISO 37001 complements ISO 37301 (compliance) to form a comprehensive integrity framework. It also articulates with ISO 31000 for managing corruption risks within the general risk framework.
Frequent findings include insufficient due diligence on intermediaries, absence of bribery risk assessment by country or sector, whistleblowing channels without anonymity guarantees, and training limited to management levels.
Document the anti-bribery policy, conduct a preliminary bribery risk assessment, review existing financial controls, and verify the existence of an operational whistleblowing channel.
ISO 27701 is the extension of ISO 27001 for privacy information management (PIMS). It establishes additional requirements for protecting personal data as an information controller or processor.
Organizations processing personal data at scale: technology companies, healthcare providers, financial entities, e-commerce platforms, and any entity subject to GDPR, LGPD, or equivalent legislation.
Between 5 and 15 business days, conditioned by the volume of personal data processed, the number of processing activities, and the maturity of the existing ISMS under ISO 27001.
The extension of ISO 27001 controls to privacy is evaluated, along with the record of processing activities, data protection impact assessment (DPIA), and data subject rights exercise mechanisms.
Privacy gap report, review of the record of processing activities, assessment of additional privacy controls, and recommendations for alignment with applicable legislation.
ISO 27701 requires an ISO 27001-based ISMS as a prerequisite. It allows mapping controls to GDPR, LGPD, and other privacy regulations, functioning as a bridge between the technical and legal frameworks.
Typical findings include incomplete processing records, undocumented legal bases for processing, absence of DPIA for high-risk processing, and insufficient mechanisms for handling data subject rights.
Have ISO 27001 implemented, prepare the record of processing activities, identify the legal bases for each processing activity, and designate a data protection officer.
ISO 37301 is the international standard for compliance management systems. It establishes requirements for organizations to demonstrate their commitment to meeting legal, regulatory, and voluntary obligations.
Organizations in highly regulated sectors: financial services, pharmaceuticals, energy, telecommunications, and any entity operating across multiple jurisdictions with complex regulatory obligations.
Between 5 and 20 business days, depending on the number of applicable regulatory obligations, the legal environment complexity, and the number of jurisdictions in which the organization operates.
Regulatory obligation mapping, compliance function review, compliance culture assessment, and verification of monitoring and reporting mechanisms are performed per ISO 19011.
Evaluated regulatory obligations matrix, compliance system maturity report, findings classified by criticality, and a roadmap to strengthen the compliance function.
ISO 37301 forms a pair with ISO 37001 (anti-bribery) to address organizational integrity. It also integrates with ISO 31000 for regulatory non-compliance risk management.
Recurring findings include incomplete obligation registers, absence of periodic compliance risk assessments, compliance function lacking hierarchical independence, and insufficient staff training.
Prepare an inventory of legal and regulatory obligations, define the compliance function structure, document the compliance policy, and establish monitoring indicators.
ISO 31000 is the international standard providing guidelines for risk management. Unlike other ISO standards, it is not certifiable but serves as a framework for integrating risk management across the entire organization.
Any organization seeking a structured approach to managing uncertainty. It is especially critical for boards of directors, strategy areas, and organizations required to report risk management to regulators.
Between 5 and 15 business days, depending on the scope breadth (entire company vs. business unit) and the number of organizational levels participating in the risk process.
The risk framework, risk management process, and organizational risk culture are evaluated. This includes governance review, identification methodologies, evaluation criteria, and risk treatment approaches.
Risk management framework maturity report, strategic risk map, risk culture assessment, and recommendations for aligning risk appetite with organizational strategy.
ISO 31000 is transversal to all management system standards. It provides the risk vocabulary and principles that ISO 27001, ISO 22301, ISO 37001, and other standards apply in their risk assessment clauses.
Recurring findings include outdated risk matrices, absence of formalized risk appetite, disconnection between strategic and operational risks, and lack of key risk indicators (KRI).
Document the organizational context, define risk criteria, update the existing risk register, and ensure top management commitment to the assessment process.
It encompasses the evaluation of technical, organizational, and process controls to protect digital assets. It includes security architecture review, vulnerability management, incident response, and cybersecurity governance.
Any organization with critical digital assets: companies with online presence, infrastructure operators, entities handling sensitive data, and organizations required to comply with cybersecurity regulatory frameworks.
Between 5 and 25 business days depending on scope: a governance assessment can be completed in a week, while a comprehensive technical assessment with penetration testing requires more time.
It is based on recognized frameworks such as NIST CSF, CIS Controls, and ISO 27001. It includes maturity assessment, technical controls review, gap analysis, and threat scenario simulation.
Cybersecurity maturity report, prioritized vulnerability inventory, current security architecture map, and control recommendations with implementation effort estimates.
Cybersecurity assessment aligns with ISO 27001 as a management framework and ISO 22301 for resilience. Frameworks such as NIST CSF can be mapped against ISO 27001:2022 Annex A controls.
Recurring findings include deficient patch management, insufficient network segmentation, absence of a tested incident response plan, and security monitoring limited to basic logs without correlation.
Document the network topology, inventory critical technology assets, compile existing security policies, and ensure access to logs from the last 90 days for review.
According to the IMC-PyME index assessed across 230 companies in 8 countries, 67% of SMEs are at Level 1 (initial) and only 4% reach Level 4 or above. The weakest dimension is supply chain security, averaging 1.2 out of 5.
The IMC-PyME (Cybersecurity Maturity Index for SMEs) is an assessment instrument with 5 levels and 7 dimensions designed to measure the security posture of small and medium enterprises. It is applied through structured questionnaires, interviews, and documentary evidence verification.
Concentration creates strategic dependency: 3 providers control 67% of the cloud market, 82% of organizations depend on a single cloud provider, and 92% of advanced chips come from a single country. This generates vulnerability to geopolitical disruptions, unilateral price changes, and loss of digital sovereignty.
Strategies include: adopting multi-cloud architectures with guaranteed contractual portability, periodic evaluation of critical providers with continuity criteria (ISO 22301), gradual diversification of technology components, and developing internal capabilities to reduce operational dependency on third parties.
It covers the evaluation of financial sector-specific cybersecurity controls, including transactional channel protection, digital banking security, anti-fraud controls, and sector regulatory compliance.
Banks, fintechs, credit unions, insurers, fund managers, payment processors, and any entity supervised by financial regulators requiring cyber-resilience frameworks.
Between 10 and 30 business days, given the volume of regulatory controls, the complexity of transactional channels, and the documentation requirements specific to the financial sector.
Sector frameworks such as SWIFT CSCF, PCI DSS, and local financial superintendency regulations are applied alongside ISO 27001. It includes transactional controls assessment, segregation of duties, and resilience testing.
Sector regulatory framework gap report, cyber-resilience maturity assessment, critical channel controls review, and a remediation plan with priorities aligned to the regulator.
It complements ISO 27001 with sector-specific requirements. It articulates with ISO 22301 for operational continuity and ISO 27701 when the financial entity processes personal data at scale.
Frequent findings include incomplete multi-factor authentication on critical channels, insufficient transaction monitoring, incident response plans not tested with financial scenarios, and weak segregation of duties.
Compile applicable financial supervisor regulations, document the transactional channel architecture, inventory existing anti-fraud controls, and prepare prior audit reports.
It covers the cybersecurity assessment of operational technology (OT) environments: SCADA systems, PLCs, industrial networks, IT/OT convergence, and critical infrastructure protection against cyber threats.
Critical infrastructure operators: energy, water, oil and gas, manufacturing, transportation, mining, and any sector with industrial control systems connected to corporate networks or the internet.
Between 10 and 30 business days, depending on the number of industrial sites, the diversity of OT protocols used, and the existing IT/OT convergence level.
Frameworks such as IEC 62443 and NIST SP 800-82 are applied, evaluating industrial zones and conduits, OT network segmentation, remote access management, OT asset inventory, and anomaly detection capability.
OT architecture map with zones and conduits, industrial asset inventory, IEC 62443 gap report, IT/OT risk assessment, and a prioritized remediation roadmap.
OT security complements ISO 27001 for corporate security management and ISO 22301 for operational continuity. IEC 62443 provides the specific framework for industrial automation environments.
Frequent findings include absence of segmentation between IT and OT networks, default credentials on industrial devices, outdated firmware without patching processes, and lack of OT traffic monitoring.
Document the industrial network architecture, inventory OT devices with their firmware versions, identify IT/OT convergence points, and define maintenance windows for non-intrusive assessments.
It covers the comprehensive evaluation of governance, risk, and compliance (GRC): strategic alignment of the risk framework, control effectiveness, governance structure, and the degree of integration between all three functions.
Organizations with multiple regulatory frameworks, management systems, or implemented ISO standards. It is critical for entities seeking to integrate risk, compliance, and internal control functions under unified governance.
Between 10 and 30 business days, depending on the number of standards and frameworks implemented, the number of business units, and the existing degree of integration between GRC functions.
The level of integration between governance, risk, and compliance is evaluated, along with reporting process efficiency, risk management maturity, and the effectiveness of the three lines of defense structure.
GRC maturity diagnostic, normative framework integration map, risk governance structure assessment, and a roadmap for optimizing the three lines model.
GRC functions as an integration layer across all implemented ISO standards. It uses ISO 31000 as the risk backbone, ISO 37301 for compliance, and the Annex SL structure to unify management systems.
Recurring findings include silos between risk and compliance functions, control duplication across different normative frameworks, fragmented reporting to senior management, and absence of a unified risk taxonomy.
Inventory all implemented standards and regulatory frameworks, document the current governance structure, compile existing risk reports, and map internal control, risk, and compliance functions.
Over 15 years of experience in ISO auditing, risk assessment, and applied research. The approach combines normative rigor with published research, backed by structural independence per ISO/IEC 17021-1.
Services cover Latin America, with experience in Argentina, Mexico, Colombia, Brazil, Chile, and Peru, among others. Assessments can be conducted on-site, remotely, or in hybrid format depending on scope.
An audit is a systematic process per ISO 19011 that verifies conformity against defined criteria. An assessment is a broader diagnostic that may include maturity analysis, gaps, and recommendations without the formality of an audit.
Services are offered in Spanish, English, Portuguese, and Chinese. Reports and deliverables are produced in the language required by the client, and assessments can be conducted in any of these languages.
It begins with a no-cost preliminary consultation to define scope. Then a technical proposal is prepared with objectives, methodology, timeline, and deliverables. Once agreed, the assessment is scheduled.
Per ISO/IEC 17021-1, the assessor must maintain structural independence from the assessment outcome. Fernando Arrieta acts as an independent evaluator; certification decisions rest exclusively with accredited bodies.
No. Preliminary assessments and diagnostics are independent of any official certification process. Formal certification is the exclusive competence of accredited bodies. The assessment identifies gaps and strengthens readiness.
It varies by scope: a focused diagnostic may take 3-5 business days, while a comprehensive multi-standard assessment can extend to 15-30 days. Organizational complexity is the determining factor.
Typical steps are: scope definition, document review, on-site or remote assessment with interviews and evidence verification, findings analysis, report preparation, and results presentation to senior management.
Yes. Integrated audits allow evaluating two or more ISO standards in the same cycle, leveraging common requirements of the Annex SL structure. This optimizes time and reduces the burden on the evaluated organization.
Costs vary by standard, organization size, and country. According to a study of 1,247 organizations across 18 countries, ISO 9001 averages USD 5,400 and ISO 42001 reaches USD 14,200. Cost dispersion between countries can reach 47%.
Five main factors are identified: standard complexity, organization size and number of sites, maturity of existing management system, local certification body market, and internal preparation costs (consulting, training, tools).
Schedule a session to resolve technical questions about standards and management frameworks.
Request diagnosis