Fernando's assessment identified 14 non-conformities that three previous audits had overlooked. The difference lies in the depth of analysis with real operational evidence, not just documentation.
ISO 27001
ISO 27001 Audit — Information Security Management System
Comprehensive ISMS evaluation per ISO/IEC 27001:2022 focused on critical controls and residual risk.
ISO 27001 Lead AuditorISO 27701 Specialist
93Controls assessed
200+Audits performed
ISO/IEC 27001:2022 replaced the structure of 114 controls in 14 domains with 93 controls in 4 categories (organizational, people, physical, and technological). This change is not cosmetic: it requires redesigning the Statement of Applicability (SoA), recalibrating the risk assessment, and generating new operational evidence. What most organizations underestimate is that the transition is not just mapping old controls to new ones — there are 11 entirely new controls (such as threat intelligence, cloud security, and data leakage prevention) that require rollout from scratch. Organizations that treat the transition as a documentation exercise arrive at the certification audit with operational gaps that result in major nonconformities.
Field evidence
Images from audits, teams, and validations linked to this line.
Deliverables
01
93-control assessment
Systematic review of Annex A against the organization's actual operations.
02
Residual risk analysis
Identification of critical gaps and unmitigated risk.
03
2022 transition roadmap
Migration plan from the 2013 version with prioritized timeline.
04
Board report
Executive translation of technical findings into business language.
Intervention Flow
01
Scoping
ISMS scope definition and critical asset identification.
02
Field audit
Document review, interviews and control testing.
03
Report and closing
Executive report delivery and closing session with management.
Technical Inquiries
An initial assessment with gap analysis takes 5 to 10 business days depending on scope (number of sites, employees in scope, and technology complexity). A full field audit requires 15 to 30 days. The factor that most impacts timelines is not organization size but documentation maturity: if risk registers, the SoA, and control evidence are outdated, the data gathering process extends significantly. We recommend starting with the 72-hour assessment to dimension the actual effort.
A typical compliance vendor operates with generic checklists and delivers a status report. An assessment with ISO lead auditor rigor applies risk-based sampling, verifies operational evidence against each clause's requirements, and simulates the criteria the certification body will use. The difference is in finding depth: we do not report 'compliant/non-compliant' but classify each nonconformity by business impact and likelihood of detection in a formal audit.
800+ organizations assessed
Verifiable results from real organizations
Directors, CISOs, and compliance officers across Latin America share their experience with Fernando Arrieta's independent assessments.
Fernando Arrieta offers evaluation, assessment, and methodological guidance services for management systems. These activities are independent of the certification process, which is carried out exclusively by accredited certification bodies.