In a first phase we verify that, in general terms and always following the WTO criteria, that the software meets a series of established requirements. In a second phase, the final audit will be carried out, taking evidence of all the control points and requirements that this certification marks.

The audit has a series of steps: Study the approval requirements, analyze the system subject to certification, demonstrate compliance with control points, security, privacy, documentary, etc., as well as other issues such as analyzing the business continuity plan. , operations, disaster recovery plan or DRP, internal and external communication plan for incidents or crises, response plan and contingency of the information system for incidents….

As a differential point I work this type of turnkey project audits where I am generally hired for consulting and prior advice to comply with the regulations, pre-audit, audit and complete documentation (4 documents). In this way my clients only have to focus on adapting their solution to the points of NO conformities that it detects. Currently, in direct line with the Tax Agency I have a checklist that ensures success and certification in a matter of a few weeks (depending on the project).

The collaboration usually has the following phases: Training of the client technical team and detection of nonconformities, advice, pre-audit, audit and documentation.

The ENS that aims to establish the security policy in the use of electronic means, the main elements of the ENS being the following:

The basic principles to consider in security decisions.
The minimum requirements that allow adequate protection of information.
The mechanism to achieve compliance with the basic principles and minimum requirements by adopting security measures proportionate to the nature of the information and services to be protected.
Electronic communications.
The security audit.
The response to security incidents.
Safety certification.
Compliance.

For ISO 27001 there are three dimensions of security, which are:

Confidentiality, which preserves the information so that it is only accessible or known by those who have authorization to do so.
Integrity, which preserves the information so that it is only altered by those who have authorization to do so. An extreme case is the suppression of information.
Availability, which guarantees that the information is accessible during the agreed period, normally through a service level agreement (SLA / ANS). It is usually a dimension associated with the services that process the information.

The National Security Scheme adds two additional dimensions to these three:

Authenticity, which guarantees that whoever carries out a procedure is really who they say they are or, from the point of view of information, guarantee that it is authentic.
Traceability, which ensures that all the procedures carried out are recorded, indicating who did them and at what precise moment or, from the point of view of the information, making it possible to verify afterwards who has accessed or modified it, and when.

I analyze the information technologies that support the business through meetings with suppliers, detect gaps and unmet needs, and finally, projects are proposed that resolve this situation, typically three years from now, prioritized with direction, and approximate estimates of their costs. I have led the digital transformation of national and multinational companies in sectors as diverse as logistics, pharmaceutical laboratories, manufacturing, distribution, law firms, …