ISMS: Key Tool for Risk Prevention
Season 6 Episode 07
Transcript
Juan José Ríos (Host):
In the digital age, where information has become one of the most valuable assets of organizations, security can no longer be approached solely from a technical or reactive perspective. The real challenge lies in anticipating, assessing, and managing risks that may affect the confidentiality, integrity, and availability of data.
How's it going? How are you? I'm Juan José Ríos. Welcome to Mundo Financiero Seguro, the Plus TI podcast.
In this space, we explore information security from a clear, structured, and strategic approach: risk management. A space for reflection and learning where theory, regulations, professional experience, and the real challenges faced by organizations of all sizes and sectors are connected, especially in highly regulated environments such as finance.
Our goal is to provide clarity, depth, and practical value to security professionals, compliance officers, technology directors, auditors, risk managers, and all those who must make sound decisions in an increasingly complex digital environment.
For this episode, I am joined by two experts: Liliana Martínez, systems engineer, expert in auditing and management systems, with more than 15 years of experience as a teacher and international consultant in ISO standards; and Jorge Diéguez, Risk and Audit Product Manager at Plus TI.
Liliana, Jorge, thank you for joining us.
Today we will begin by addressing one of the major paradigm shifts that has transformed information security in recent years: it is no longer enough to implement controls; now it is about understanding risks from their source.
Jorge, I'll start with you. Why is the risk-based approach more effective than traditional approaches to information security?
Jorge Diéguez:
Thank you very much, Juan José. Greetings to everyone listening, and it's a pleasure to be with you for this session.
The risk-based approach has gradually become a fundamental pillar for many organizations, as it transforms information security into a strategic and proactive tool. This is mainly because it allows organizations to protect what really matters and do so in a proportionate manner, aligned with the objectives and scope of the business.
Unlike traditional approaches—which often focus on "compliance for compliance's sake" through generic checklists—the risk-based approach allows organizations to manage, justify, and continuously improve information protection, without disruption and in a much more effective way. Why? Because it prioritizes security efforts.
These efforts are guided by the actual impact that an incident could have on business objectives and operations. While traditional approaches tend to be uniform and reactive, the risk-based approach is strategic, adaptable, and designed to support more informed decision-making.
I would like to highlight three key aspects of this approach.
Jorge Diéguez:
The first point is intelligent prioritization. Not all assets or threats have the same value or level of criticality for an organization. The risk-based approach allows us to identify what we should protect first, how much to invest in that protection, and what controls are really necessary.
This also contributes to better resource optimization, a key aspect for organizations that, in many cases, have limited budgets.
Jorge Diéguez:
The second aspect is residual risk reduction. By identifying specific vulnerabilities and threats, controls can be applied to reduce risk to acceptable levels, within the organization's tolerance range.
This approach does not seek to eliminate all risks—something that is practically impossible—but rather to manage them in a conscious and proportionate manner. This requires a well-structured process that includes the identification of critical assets, the assessment of threats and vulnerabilities, the analysis of impact and frequency, and the appropriate selection of security controls. It is a comprehensive and continuous cycle.
Jorge Diéguez:
The third point is adaptability. We live in a highly dynamic environment: threats evolve, systems change, and technology is constantly transforming. Factors such as cloud computing, artificial intelligence, and remote working directly influence this context.
The risk-based approach is dynamic and revisable, allowing it to adapt to changes without having to rebuild the entire security system. It is a continuous management process that focuses on understanding the relationship between critical assets, emerging threats, and their impact.
Thanks to this approach, it is possible to constantly reassess risks in scenarios such as the use of SaaS services, the adoption of artificial intelligence, or the increase in threats such as ransomware and phishing.
Juan José Ríos:
The information you share is very valuable, Jorge. This leads us to reflect on security as a cross-cutting issue within the organization. It can no longer be addressed solely from the IT or compliance perspective.
How should information security risks be integrated into overall corporate risk management?
Jorge Diéguez:
The integration of information security risks into corporate risk management is essential to achieving a holistic, consistent, and effective view of the organization's risk exposure.
In an increasingly digital environment, these risks are no longer exclusively technical; they are part of the strategic, operational, and regulatory risks that directly influence decision-making.
To achieve true integration, security risks must be linked to business objectives, processes, and critical assets. Any compromise to the confidentiality, integrity, or availability of information can directly impact operational continuity, regulatory compliance, and the organization's reputation.
This also involves translating technical risks into language that senior management can understand, explaining their potential financial, legal, and reputational impact if not managed properly.
It is important to define unified criteria for measuring and comparing risks, using common probability and impact scales, and to incorporate technological risks into corporate risk appetite. In this way, clear tolerance thresholds are established.
In addition, the management of these risks must have designated managers within the corporate risk area, allowing senior management to receive periodic reports with key indicators such as KRIs, KPIs, and the evolution of threats.
Finally, technological risks must be reflected in the organization's risk map and, when their impact warrants it, form part of the most critical business risks. This strengthens organizational resilience and allows for the anticipation of adverse scenarios in an increasingly complex digital environment.
Juan José Ríos
Well, you mentioned integration, and now we understand that it is key to ensuring that the ISMS does not become merely a compliance document, but a real management tool.
And following this line of reality, every so often the business world is shaken by cybersecurity incidents that leave important lessons.
In that regard, Jorge, what have we learned from recent major cybersecurity incidents in terms of risk management?
Jorge Diéguez:
There are several relevant aspects that we can highlight. To answer this question, I will refer to a recent report published by IBM, specifically its Threat Intelligence Index.
This report reveals that Latin America accounts for approximately 8% of cybersecurity incidents reported worldwide.
One of the most striking points in the report is that cybercriminals are adopting increasingly discreet tactics, especially for credential theft and ransomware attacks, which have seen a significant uptick in the region, from Mexico and Central America to South America.
For example, there were cases such as that of Banco do Brasil, where the attack targeted employees of the institution, allowing attackers to access internal databases. As a result, the personal and financial information of more than two million customers was stolen, data that was then used to commit financial crimes that generated losses of close to 40 million reais, equivalent to about seven million dollars. This demonstrates the real impact that failing to adequately address control measures can have.
Another similar case occurred with Bank of America, which in February 2024 suffered a security breach that led to the exposure of personal and financial data of more than 57,000 customers.
These incidents reinforce the importance of proper management of information security risks, including those associated with suppliers, an area that should not be overlooked.
All these situations teach us profound lessons about how risk is being managed—or not—in complex digital environments. They reveal not only technical vulnerabilities, but also structural flaws in the way many organizations understand and apply risk management.
This confirms that risk management cannot be a static or bureaucratic activity.
A common mistake is to treat risk assessment as a document that is updated once a year. Recent incidents show us that threats evolve much faster than traditional assessment cycles and that technological environments are highly dynamic. It is not enough to assume that existing controls are sufficient; even a small breach is enough for an incident to occur.
Another key aspect is resilience. In many cases, it is not the initial attack that exacerbates the impact, but rather the lack of preparedness to respond and recover. The absence of contingency plans, incident response plans, drills, or tests, as well as failures in internal and external communication, significantly increase the damage.
Therefore, it is essential that security policies and controls are evaluated through recovery testing. Only then can their effectiveness be measured. This reinforces the need for risk management to include not only prevention, but also preparedness, response, and resilience.
Juan José Ríos:
Thank you, Jorge. Everything you share is very interesting.
Now Liliana Martínez from Colombia joins the conversation. Liliana has extensive experience working with norms, standards, and best practices, and has a very practical view of how these tools work in the organizational reality.
Liliana, based on your experience, what are the current trends that organizations should consider to protect their information and data?
Liliana Martinez:
Thank you, Juan. Indeed, one of the fundamental pillars for organizations continues to be ISO/IEC 27001, the international standard for information security management.
This standard ensures that the necessary requirements and controls are in place to mitigate the risks affecting the organization's most important information assets.
It is important to clarify that ISO 27001 is the certifiable standard and is complemented by ISO 27002, which acts as a guide to good practices for the effective implementation of the management system.
Many organizations adopt these standards because they are required to do so, but they are most valuable when implemented voluntarily, with a preventive rather than corrective approach.
Management systems encourage us to work by processes, measure their performance, and provide senior management with reliable information for decision-making.
When an organization decides to implement a management system, there is an awareness and training process that allows for the articulation of multiple elements: from organizational strategic planning to strategic planning for information security, risk management, process documentation, measurements, and periodic reviews of the system.
Another relevant point is the 2022 version of ISO 27001. We currently have 93 security controls, compared to 114 in the 2013 version. This is not a reduction, but rather an integration and evolution of controls, as well as the incorporation of new approaches aimed at prevention and continuous monitoring of critical assets.
The role of senior management is fundamental. When the highest authority in the organization understands that information security generates real benefits, the path becomes much easier. Prevention will always be more cost-effective than correction, and knowing, classifying, and protecting information assets reduces financial losses and operational risks.
Information security encompasses both physical and digital aspects. It is not limited solely to computer systems. For example, a physical document containing sensitive information must also be protected.
This is directly linked to personal data protection laws, which no longer analyze only the medium, but also the type of information it contains and its level of sensitivity.
In the current version of the standard, controls are grouped into four broad domains: technological, people, physical, and organizational. This reinforces the idea that threats come not only from technology, but also from the human factor and third parties, such as suppliers.
Therefore, it is essential to establish security policies, awareness programs, and controls related to teleworking, access control, cryptography, physical security, operational security, and incident management.
A process-based approach is key. Having documented procedures ensures that activities are carried out consistently and that staff, including new hires, are clear about their responsibilities.
Likewise, issues such as communications security, software development, supplier management, and legal compliance—including data protection and intellectual property rights—are becoming increasingly important.
Finally, implementing these controls allows the entire organization to be aligned under a culture of security, from senior management to the lowest operational level. This strengthens prevention, knowledge of information assets, and informed decision-making to effectively mitigate risks.
It is important to remember that management systems are developed under the PDCA cycle: Plan, Do, Check, Act.
Some organizations believe that simply carrying out planning means they already have a management system in place, but this is not the case. In order to comply with the internal audit requirement of the standard, as well as for those companies seeking certification, it is essential to correctly complete all stages of the cycle.
Only after fulfilling them 100% can the certifying body validate that the organization not only implemented the management system under the criteria of the ISO 27001 international standard, but also maintains and continuously improves it.
To give you a clearer idea, during the planning stage—which in ISO 27001 corresponds to requirements 4 to 7—the context of the organization, the stakeholders, and the entire risk management process are worked on, in accordance with the methodology defined by each organization.
Next comes the "doing" phase, which consists of demonstrating the operation of the system, that is, executing everything that was planned.
Then we move on to the "verify" stage, which includes review by senior management, monitoring using indicators, and internal auditing, which allows us to identify opportunities for improvement.
Finally, there is the "act" stage, corresponding to requirement 10 of the standard. Here, corrective and improvement actions are established, especially in response to errors, inconsistencies, or non-conformities detected during audits. This step is key to strengthening what has already been implemented.
That's why this question is so valuable, Juan, because it allows organizations to understand that there is indeed a clear path to properly addressing information security and data protection.
Juan José Ríos:
Thank you, Liliana. We understand, then, that these trends provide a clear roadmap for many organizations. However, in practice, one of the biggest challenges is knowing where to start, especially when there are limitations in terms of resources or internal knowledge.
Now, in that context...
Liliana Martinez:
In that context, Juan, the standard really takes us by the hand. If an organization has never had a management system, it is essential that it start with the standard, because it tells you step by step what to do.
In addition, we now have specific standards that explain how to approach risk management and compliance. And here I would like to give the floor to Jorge to help us answer a key question: how can we achieve successful implementation?
Jorge Diéguez:
Thank you, Liliana. When it comes to implementing an information security management system, whether under the 2013 or 2022 version of ISO 27001, it is essential to have the involvement of senior management.
One of the most common mistakes is to think that information security is a project exclusively for the IT department. This often leads to failure, because the objectives are not achieved. Implementation must be a cross-functional effort, involving the entire organization.
Another key point is the development of an information security culture. We cannot expect people to adopt the system solely through an email. Training and awareness activities are necessary to clearly explain the importance of information security throughout the company.
The main factor for success is the commitment of senior management, their constant support, and the allocation of the necessary resources. But above all, information security must become part of the organizational culture and people's daily lives.
Juan José Ríos:
Excellent. Returning to the topic of safety culture, Liliana, how can we keep it alive, relevant, and attractive so that the professionals listening to us can replicate it in their teams?
Liliana Martinez:
Juan, it is essential to understand that the standard invites us to raise awareness, not simply to inform. It is not about sending an email with an image, but about generating value for the employee who performs their daily work.
Training should be regular, not just during the implementation of the system. Risks change, controls evolve, and staff change too. That's why training should be ongoing, ideally at least once a month.
It is important to carry out dynamic activities: practical exercises, simulations, contests, and even different experiences that allow participants to understand what happens in the event of phishing or a ransomware attack.
When people identify with the real risks, they better understand the importance of protecting information assets and their own role within the organization.
A key aspect is for employees to understand how the loss of an information asset directly affects their work and responsibilities. When the real impact is understood, awareness is much more effective.
Raising awareness means giving meaning to actions: explaining why equipment should be locked, documents should not be left in plain sight, or passwords should not be shared. When the "why" is explained, the culture of security is kept alive within the organization.
Juan José Ríos:
Fantastic. Without a doubt, when we understand the reasons behind things, we are more willing to comply with them.
To wrap up this episode, I would like to ask you for a final message for our audience. Liliana, go ahead.
Liliana Martinez:
Thank you, Juan. Today, many organizations already have quality, anti-bribery, or environmental management systems in place. What is lacking, in many cases, is the integration of information security as a central component.
The Information Security Management System allows for the coordination of quality, compliance, anti-bribery, and business continuity. This integration is key for an organization to be sustainable, enduring, and adequately protect its information assets.
My invitation is clear: let's do it. The standard exists, the path is defined. It doesn't matter if the organization is large or small, or if the budget is limited; the standard helps optimize resources and work smarter.
Implementing ISO 27001 means adopting best practices, strengthening compliance, and ensuring adequate protection of information assets.
Juan José Ríos:
Thank you, Liliana. Jorge, your final message.
Jorge Diéguez:
In closing, I would like to remind you that information security and risk management are not simply a list of controls, but an essential part of business strategy.
A well-implemented management system allows the organization to be more resilient, adaptable to change, and efficient in the use of its resources.
The risk-based approach becomes a true strategic differentiator and a factor of trust for customers and partners.
Finally, I invite you to integrate technology, regulations, and knowledge. Technology allows us to automate processes, regulations show us the way, and we acquire knowledge through spaces such as Mundo Financiero Seguro.
Thank you for joining us.
Juan José Ríos:
We have certainly gained some very practical and valuable insights. Thank you, Liliana, thank you, Jorge, for helping us understand ISMS not as a requirement, but as a strategic tool for risk prevention.
And to all of you listening, thank you for joining us on this episode of Mundo Financiero Seguro, the Plus TI podcast.
