Cybersecurity Services

I help organizations implement, validate, and strengthen security programs—combining governance, risk and compliance (GRC), management system standards, and hands-on security testing to reduce risk and support business growth.

Email me LinkedIn
  • Audit-ready deliverables: evidence models, ownership mapping, and clear documentation
  • Risk-based execution: prioritize what reduces exposure and supports business goals
  • Pragmatic outcomes: less bureaucracy, more measurable security progress

Core services

Who I work with

Teams that need practical, measurable security outcomes—without unnecessary bureaucracy.

  • Startups preparing for enterprise customers and due diligence
  • Growing companies needing structure (policies, risk, controls) without bureaucracy
  • Teams pursuing or maintaining ISO/IEC 27001 certification
  • Organizations building AI governance with ISO/IEC 42001
  • Technical teams that need pentesting with actionable fixes

Typical outcomes: clearer ownership, faster readiness, stronger stakeholder confidence.

  • ISO/IEC 27001 Implementation & Certification Readiness

    Build an ISMS that’s audit-ready, lightweight, and sustainable—focused on clarity, ownership, and repeatable routines.

    What you get

    • Scope, context, and governance setup (roles, responsibilities, objectives)
    • Risk assessment approach + risk treatment plan structure
    • Policy and procedure pack (aligned to your environment)
    • SoA alignment + control ownership mapping
    • Evidence model: what to collect, who owns it, and update cadence

    Typical outcomes: faster audit readiness, fewer evidence re-requests, reduced audit friction.

  • ISO/IEC 42001 AI Governance Implementation (AIMS)

    Make AI governance operational: policies, records, and routines that hold up in real-world scrutiny—built to survive assessments, not just templates.

    What you get

    • AIMS scope and AI system inventory structure
    • AI risk identification + treatment workflow (practical and repeatable)
    • Governance roles, accountability, and decision routines
    • Documentation pack: procedures, records, monitoring cadence
    • Audit-readiness check: gaps, priorities, and improvement plan

    Typical outcomes: clearer governance for AI initiatives, defensible risk decisions, stronger readiness for reviews.

  • GRC Advisory & Risk-Based Security Programs

    Turn security into measurable governance: risk, controls, and evidence that scale across teams and stakeholders.

    What you get

    • Risk assessments (technical + business) and treatment planning
    • Control design and rationalization (avoid “checkbox security”)
    • Evidence mapping and traceability model (who/what/when)
    • Executive-ready reporting: risks, decisions, and next steps
    • Remediation management: issue tracking, prioritization, follow-up

    Typical outcomes: less confusion, more execution; controls aligned to real risk; stronger stakeholder confidence.

  • Audit Support (Internal Audits, Mock Audits, Supplier/Client Assurance)

    Get prepared before the auditor arrives—or strengthen your program after the audit. I focus on clarity, defensibility, and practical remediation.

    What you get

    • Audit planning: scope, criteria, and sampling approach
    • Evidence review and control effectiveness checks
    • Findings written clearly (defensible, risk-linked, actionable)
    • Corrective action plans and closure verification

    Typical outcomes: fewer surprises, faster remediation cycles, audits that drive real improvement.

  • PCI DSS-Focused Pentesting & Technical Validation

    Security testing aligned to PCI DSS expectations—built to validate real exposure, strengthen controls, and produce audit-friendly deliverables that teams can actually remediate.

    What you get

    • PCI scoping support: CDE identification, segmentation assumptions, and testing boundaries
    • External & internal testing (as in-scope): web apps, infrastructure, and common attack paths into the CDE
    • Vulnerability validation with proof-of-impact when appropriate (to reduce false positives)
    • Prioritized findings mapped to risk and PCI DSS objectives, with clear remediation guidance
    • Retesting to confirm fixes and support closure for evidence packages

    Typical outcomes: PCI-ready reports, clearer risk acceptance decisions, faster remediation cycles, and stronger evidence for assessments.

Engagement packages

QuickStart — “Security Baseline in 2 Weeks”

Best for teams that need structure fast.

  • Rapid discovery + risk snapshot
  • Top-priority control and documentation set
  • Roadmap for ISO readiness or GRC maturity

ISO 27001 Readiness Sprint — “From Chaos to Audit Plan”

Best for companies aiming for certification.

  • Scope + SoA alignment
  • Evidence model + control ownership
  • Pre-audit readiness review + action plan

ISO 42001 AIMS Foundations — “AI Governance that Works”

Best for teams building AI processes.

  • AIMS scope + AI inventory approach
  • AI risk workflow + governance routines
  • Documentation pack + monitoring cadence

Pentest + Remediation Track — “Find, Fix, Verify”

Best for teams that want outcomes, not just findings.

  • Scoped testing + prioritized report
  • Fix guidance and retest window
  • Optional evidence pack for audits

How I work

  • Risk-based and pragmatic: I prioritize what reduces exposure and supports business goals.
  • Documentation you can actually use: clean, structured, maintainable deliverables.
  • Stakeholder-friendly: technical depth without losing executives.
  • Continuous improvement mindset: evidence, metrics, and iteration—not one-off checklists.

Let’s talk

If you’re hiring or need support with ISO/IEC 27001 or ISO/IEC 42001 implementation, GRC, audit readiness, or pentesting, I can help you ship practical security improvements—fast and clearly documented. Message me—I reply quickly.

You can write in English or Spanish.

[email protected] LinkedIn →