Risk analysis
Per asset. Identification, assessment, treatment.
ISO 27001:2022 with asset-level risk analysis, documented Annex A controls and continuous review. We coordinate the technical audit with Summum Sistemas.
ISO 27001 is now the standard that any enterprise client demands before signing a contract, and regulators are increasingly relying on it (NIS2, DORA, ENS). Without it, entire sectors — banking, private healthcare, defence, public sector — become inaccessible.
We implement with the 2022 revision (current) and the 93 controls of Annex A: per-asset risk analysis, explicit statement of applicability, signed policy, operating procedures, prior internal audit and continuity plan.
The regulatory and procedural side is covered by Calidad; the technical side — system-state audit, SOC, control evidence — is covered by Summum Sistemas. A single implementation, two coordinated disciplines.
Per asset. Identification, assessment, treatment.
93 Annex A controls justified one by one.
Policy, procedures, technical controls with Sistemas.
Internal, external, annual maintenance.
The operational detail: what we deliver as part of the engagement and what we keep active afterwards.
Per-asset risk analysis
Inventory, threats, documented treatment.
Statement of applicability
93 controls. Applies / not applicable / reason.
Policy and procedures
Signed by management, per domain.
Technical controls (with Sistemas)
EDR, SIEM, vulnerabilities, backups.
Internal audit
Before the external one.
Continuity plan
Coordinates with 22301.
27001 is the standard. NIS2 and DORA use it as a reference.
27001 without SOC is just paperwork.
Never a legal requirement as such. Enterprise clients demand it. NIS2 makes it quasi-mandatory.
93 controls. Organisational, technical, physical.
Essential. Technical part handled by Sistemas; management, here.