ISMS implemented - Certification in process

Information security
with processes, evidence and deadlines committed

We operate an Information Security Management System (ISMS) aligned with ISO/IEC 27001. The controls are already in place; certification completes the cycle. For our public sector clients, this means continuity, confidentiality, and auditable traceability from day one.

ISMS in operation ISO 27001 expected Aug. 2026 Designated CISO Current policies
View the roadmap Let's talk
Why it matters ISMS today AGESIC Roadmap Controls Backup
ISMS Status
In operation
Current policies, implemented controls, completed internal audit.
External audit
In progress
Contracted certification body. Stage 1 planned.
ISO 27001 Certification
August 2026
Target deadline committed to our management and clients.
Remaining period
~3 months
Final implementation, audits and closure of findings.
Why it matters

Why a robust ISMS is not optional in the State

When we operate public systems, we handle data that affects rights, benefits, and strategic information for the country. Security is a contractual, legal, and ethical obligation—not a "nice-to-have."

Protection of citizen data

Medical records, tax data, civil registries, information on vulnerable individuals. That trust cannot be lost.

Regulatory compliance

Data protection laws, sector regulations and public procurement frameworks require demonstrable and traceable controls.

Continuity of public service

A security incident can halt an entire program. Managing risk is about protecting operations.

Defensibility before an audit

Our public procurement team and the court of auditors will ask questions. We provide auditable evidence, not statements of intent.

ISMS today

What we already have implemented

The ISMS doesn't begin with certification: certification validates it. Today we already operate with policies, controls, and governance—the formal ISO 27001 process completes the external assurance cycle.

IS Policy

Information Security Policy

Approved by management, communicated to 100% of staff, reviewed annually and aligned to ISO/IEC 27001.

Governance

designated CISO and security committee

Responsible with executive mandate, interdisciplinary committee and direct reporting to management.

Risk analysis

Formal risk management methodology

Documented asset inventory, threat and vulnerability analysis, risk matrix, and treatment plan.

Technical controls

Technical operational controls

Access management, MFA, encryption in transit and at rest, network segmentation, tested backups, and vulnerability management.

People

Awareness and training

Awareness campaigns, confidentiality agreements, specific technical training, and phishing drills.

Suppliers

Third-party management and supply chain

Evaluation of critical suppliers, security contract clauses, and compliance monitoring.

Incidents

Incident response

Documented procedure, reporting channel, defined roles, internal SLAs, and customer communication protocol.

Continuity

Continuity and recovery

Business continuity plan, disaster recovery plan, offsite backups and regular testing.

Panama

PanamaAuditoría interna

First internal audit completed. Findings under treatment documented with deadlines and responsible parties.

Uruguay · Cybersecurity Framework

Adaptation to the AGESIC Cybersecurity Framework

AGESIC defines the cybersecurity framework that guides and regulates information security management for Uruguayan government agencies. Our ISMS is aligned with its categories and controls, ensuring that projects with Uruguayan public clients benefit from this compliance from day one.

UY
AGESIC · Uruguay

ISMS adapted to the five functions of the framework: Identify, Protect, Detect, Respond and Recover

We work with the same structure and terminology of the framework — based on NIST CSF and adapted to the Uruguayan public sector — so that the evidence, controls and reports of our ISMS are directly usable by the client.

  • Identify — asset inventory and risk management aligned with the framework.
  • Protect — access controls, encryption, training, and secure development.
  • Detect — continuous monitoring, logging, alerts, and event analysis.
  • Responder — incident response plan and integration with CERTuy / CSIRTuy.
  • Recover — proven business continuity and disaster recovery plans.
  • Reporting — evidence in the format required for AGESIC audits.
Roadmap

Plan towards ISO 27001 · 3 months

Internal and external commitment: ISO/IEC 27001 certification in August 2026. Work plan structured in three operational stages plus the certification phase, with responsible parties, deliverables and auditable evidence.

The roadmap doesn't start from scratch: the ISMS is already operational. The next three months will involve consolidating evidence, closing remaining gaps, conducting formal audits (internal and external), and obtaining certification. By the end of this period, our public clients will have ISO 27001 certification as part of their procurement documentation..
Month 1 · May 2026 01

Consolidation and gap closing

Final review of ISMS documentation, closure of remaining internal audit findings, and preparation of the evidence file.

  • Update of policies and procedures
  • Closing of internal findings
  • Evidence of SoA controls
  • Updated risk matrix
Month 2 · June 2026 02

Audit Stage 1 and final preparation

Document audit of the certifying body (Stage 1). Review of the ISMS, policies and statement of applicability. Adjustments based on observations.

  • Audit Stage 1 (documentary)
  • Treatment of observations
  • Final training for the team
  • Response simulations
Month 3 · July 2026 03

Stage 2 Audit and Treatment of Findings

On-site audit by the certifying body (Stage 2). Operational verification of controls. Action plan for minor non-conformities.

  • Audit Stage 2 (operational)
  • Verification of controls
  • Findings action plan
  • Evidence of closure
August 2026 🏁

Issuance of the ISO 27001 certificate

Formal closure of the process, publication of the certificate and availability of the documentation for public procurement files.

  • Certificate issued
  • Publication on the site
  • Proposal update
  • Continuous improvement cycle
Controls framework

Controls aligned with Annex A of ISO 27001:2022

We work with the 93 controls of Annex A grouped into the 4 thematic clauses of the 2022 version. Below are representative examples by group.

Organizational

IS Policy Roles and Responsibilities Classification of information Classification of information Supplier Management Incident Management Business continuity Legal Compliance

People

Background check Confidentiality Agreements Awareness and training Disciplinary proceedings Secure Remote Work Event Report

Físicos

Safe zones Physical Access Control Protection against environmental threats Clean desktop and screen Equipment Safety Media Management

Technology

Access Management · MFA Encryption in transit and at rest Vulnerability Management Logging and monitoring Network Segregation Backups and Disaster Recovery SAST · DAST · SCA Secure Development · SSDLC
Support from the organization

ISO 27001 complements a mature management system

ISO 27001 certification is based on a management system that is already certified for quality, environmental, and anti-bribery standards, as well as a CMMI-DEV ML3-appraised development maturity model.

Quality

ISO 9001

Certified quality management system.

ENVIRONMENT

ISO 14001

Environmental management system.

Anti-bribery

ISO 37001

Anti-bribery management system.

Anti-bribery management system.

CMMI-DEV ML3

Rated at Maturity Level 3.

Coming soon

ISO 27001

Certification is scheduled for August 2026.