Cargando…
Cargando
Preparando la información solicitada…
ISO/IEC 27001 · ISO/IEC 27701 · Annex A
Information security: audit, controls, and auditable traceability
Security is not measured by firewalls purchased but by controls verified. ISMS audit and diagnosis with an evidence-based approach: without traceability, there is no real protection.
Lead Auditor ISO/IEC 27001Lead Implementor ISO 27001ISO/IEC 27701 Privacy
93Annex A controls
ISO 27001Reference framework
6Audit domains
"Security is not measured by firewalls purchased but by controls verified with evidence."Fernando Arrieta — Lead Auditor ISO/IEC 27001
Who it's for
Who needs a security audit?
CISOs and security teams
They need to validate that declared controls work in practice. The audit turns the perception of security into auditable records.
Leadership and risk committees
They require visibility into the real level of information protection and the status of regulatory compliance. Without unnecessary technical jargon.
Organizations pursuing certification
Preparing for ISO 27001 certification audit or annual surveillance audit. They need to ensure conformity before the certification body's visit.
Domains
What is audited in information security
Six critical domains that every ISMS must cover with evidence — not with intention.
Security governance
Policy, roles, leadership, and management commitment. Organizational context and ISMS scope.
Risk management
Identification, assessment, and treatment of security risks. Acceptance criteria and documented treatment plan.
Access controls
Identity management, least privilege, multi-factor authentication, and periodic permission reviews.
Data protection
Encryption, classification, data lifecycle, backup, and secure destruction. Extension to privacy (ISO 27701).
Incident management
Detection, response, escalation, notification, and lessons learned. Communication plans for stakeholders.
Continuity and resilience
Business continuity plans, disaster recovery, periodic testing, and availability metrics.
Regulatory frameworks
Reference frameworks and standards
- 01
ISO/IEC 27001:2022. The international standard for information security management systems. 93 controls organized in 4 categories. The foundation of every serious security audit.
- 02
ISO/IEC 27701:2019. Extension for personal information privacy management (PII). A growing requirement for organizations processing personal data in regulated contexts (GDPR, LGPD).
- 03
ISO/IEC 27005. Guidance for information security risk management. An essential complement for the risk treatment required by ISO 27001.
- 04
NIST Cybersecurity Framework. A complementary framework for organizations with exposure to North American markets. Identifies five functions: Identify, Protect, Detect, Respond, Recover.
FAQ
Information security: what leadership asks
What is an ISMS and why do I need one?
An ISMS (Information Security Management System) based on ISO/IEC 27001 is a set of policies, processes, and controls that protect the confidentiality, integrity, and availability of information. It is not a firewall or software — it is a management system with auditable evidence.
What is the difference between ISO 27001 and ISO 27701?
ISO 27001 protects information security in general. ISO 27701 extends that system to specifically cover personal data privacy (PII). If you process personal data, you need both. ISO 27701 is implemented as an extension of an already certified ISMS.
How long does a security audit take?
A gap diagnosis against ISO 27001 is delivered in 2-4 weeks. A complete internal audit of an existing ISMS takes 4-8 weeks depending on scope. What matters is the quality of evidence, not speed.
Does information security cover AI?
Partially. ISO 27001 covers access controls, encryption, incident management, and continuity that apply to AI systems. But for specific AI governance, ISO/IEC 42001 is needed as a complement. Information security is a necessary but not sufficient condition.
What if we have nothing implemented?
Start with a gap diagnosis: the current state is assessed against the 93 Annex A controls of ISO 27001, the most critical risks are identified, and a prioritized roadmap is defined. No prior certification is needed to begin.
Acreditaciones y membresías institucionales
Evidence-based information security starts with a clear conversation.
If your organization is evaluating its information security posture or preparing for ISO 27001, this is the channel to discuss scope and approach. All inquiries are handled under confidentiality.
The consulting and implementation services described on this site are provided independently. Certification audits and decisions are the exclusive responsibility of accredited certification bodies. In accordance with ISO/IEC 17021-1 §5.2, impartiality restrictions and cooling-off periods apply.