iTeam

Português

Inglês

Esse site utiliza cookies

Nós armazenamos dados temporariamente para melhorar a sua experiência de navegação e recomendar conteúdo de seu interesse. Ao utilizar nosso serviços você concorda com tal monitoramento.

15 de dezembro de 2025

Expert Desk

Information Security Management System — beyond Information Security

Business no longer has borders and is increasingly globalized. In this context, an Information Security Management System becomes essential for companies that expand their operations through contracting and subcontracting, thus making third-party risk a strategic factor for their survival.

Several laws around the world establish the concept of joint and several liability. In Brazil, this concept is especially present in the Civil Code, the Consumer Defense Code, and the General Data Protection Law (LGPD), among others.

Joint and several liability is a legal concept meaning that more than one person or company may be required to respond for the same issue, fully or partially, regardless of who directly caused the error.

Thus, in the context of third party risk, the contracting party may be held liable for acts carried out by its contractors when those acts cause damage to third parties on its behalf.

What is the contractor’s responsibility?

In general, the contractor’s responsibility mainly arises from:

Culpa in eligendo: occurs when there is poor selection of representatives, employees, or service providers, generating liability for damages resulting from that choice.
Culpa in vigilando: arises from the lack of proper supervision or oversight of people or activities under one’s responsibility.
Culpa in omittendo: results from omission, when the responsible party fails to act when it should, causing harm.

Although a right of recourse against the contractor may exist to determine their responsibility for the damaging event, initially it is the contracting party who responds to third parties for the outcome of the damage.

Therefore, the contractor must adopt effective measures to select, assess, and monitor the activities of its suppliers before contracting, throughout the contractual term, and also implement security measures after contract termination.

Third-party risk

Third-party risk is not limited to contracted suppliers alone, but encompasses all organizations that, directly or indirectly, interact with the company.

Interdependence among organizations can make this process complex and extensive. However, it is up to the company to define the level of risk it is willing to assume and establish how far its investigation and monitoring will go.

Due diligence processes focused on integrity, security, and information privacy represent the starting point. In addition, well-structured contracts must clearly define roles and responsibilities.

In many cases, dependence on specific solutions and technologies highlights the fragility of third party controls. Two recent examples from 2025 illustrate this reality: the outage of a major cloud provider in the United States and fraud within the Pix ecosystem.

In the cloud provider outage, within minutes, fintechs, e-commerce platforms, digital banks, and platforms became unavailable. The issue was not internal but related to a critical third party. What was once invisible infrastructure became a single point of failure.

In fraud involving the Pix ecosystem, criminals do not directly attack financial institutions. Instead, they exploit technical intermediaries such as messaging services, APIs, and gateways. They manipulate communications, divert funds, and convert values into cryptoassets within minutes. Likewise, responsibility toward customers and regulators falls on the financial institution, not the third party.

In both cases, a large number of internal processes were affected by external failures.

In practice, these risks are often unknown or underestimated in risk matrices, even though their business impact is significant and cannot be ignored.

Risk Management in Information Security

However, risk management should not be treated as an isolated or “miracle” solution. It must be integrated into a structured management system, interacting with other organizational processes and resources.

The risk management process should be aligned with recognized frameworks, such as:

ISO/IEC 27001 (Information Security)
ISO 37301 (Compliance Management)
ISO 37001 (Anti-Bribery Management)
COSO ERM 2017 or ISO 31000 (Enterprise Risk Management)

In addition, the management system must include robust Business Continuity Planning (BCP) and Disaster Recovery (DR) processes. Well-crafted contracts and SLAs are important, but the business cannot stop while waiting for contractual enforcement. The organization must be prepared to face adversity.

In moments of chaos, stress, and pressure, decisions must be based on previously defined and tested criteria, not on intuition.

Once again, the risk management process manifests itself in this scenario. Crisis management begins with risk management, by preparing the organization for adverse scenarios. Identified risks support the actions that must be executed in the event of disruption.

In an environment where risks are increasingly fast-moving, interconnected, and invisible, merely reacting to incidents is not enough. A structured management system is required, capable of transforming risk management into a continuous, integrated, and controlled process.

A management system is much more than a set of policies. It is an integrated structure that connects processes, people, and technology, ensuring the achievement of critical objectives even in the presence of risks. In the corporate context, this means applying principles of governance, monitoring, and continuous improvement.

An effective management system must be multidisciplinary, as its effectiveness depends on internal and external factors and on the nature of disruptive events. Among others, we highlight some areas relevant to the context of this article, without excluding other important areas depending on the organization’s operations.

Risk and Compliance Team

The Risk and Compliance team must operate with a high level of technical maturity, mastering risk treatment processes, defining indicators, parameterizing controls, and monitoring exceptions based on data and evidence. Their role goes beyond checklists, as they act as governance facilitators and agents of constructive challenge.

Legal Team

The Legal team should not be limited to contract review alone, but must be responsible for standardizing contractual clauses, interpreting local and international regulations applicable to the organization’s business (GDPR, LGPD, NIS2, SOX, HIPAA, CCPA, ESG, environmental legislation, etc.), providing legal advice during incident response, conducting complex negotiations, and ensuring that preventive and reactive measures are aligned with the company’s strategy and risk appetite.

Information Security Team

The Information Security team must operate both preventively and correctively, using risk management as the basis for decision-making. Its role is strategic and goes beyond technical protection, acting as the guardian of information confidentiality, integrity, and availability, as well as connecting technology, processes, and people, and structuring incident response plans.

Technical and Operational Teams

Technical and operational teams must have deep knowledge of processes and undergo regular training for adverse situations, including real tests and simulations (tabletop exercises), ensuring accuracy in response.

When these areas operate in a coordinated and aligned manner, they strengthen corporate governance and enhance the organization’s ability to anticipate risks, respond to critical events, and maintain the trust of customers, regulators, and investors.

What truly consolidates an Information Security Management System

In this context, the management system is not merely a set of documents, but a living governance model that organizes how the company prevents, detects, responds to, and learns from its own failures through continuous improvement. It integrates information security, anti-bribery prevention, data privacy, enterprise risk management, and business continuity (BCP) and disaster recovery (DR) structures, especially in relationships with critical suppliers.

In today’s corporate environment, marked by high complexity and constant digital transformation, a management system represents the foundation for ensuring security, compliance, and organizational resilience.

A well-structured management system is adaptable, auditable, and oriented toward continuous improvement. It defines responsibilities, establishes metrics, creates response plans, and involves leadership in decision-making so that the organization is prepared to respond with speed, coordination, and evidence.

Thus, more than complying with standards, implementing a management system is about transforming risks into competitive advantage, ensuring resilience and trust in a scenario where failures are inevitable, but crises do not have to be.

At iT.eam, we help companies structure Information Security Management Systems that integrate governance, risk, compliance, and technology. Talk to our team and find out how we can support your organization!