Independence and conflict-of-interest management
In security and compliance, a consultant's independence is no formality: it determines whether their judgment can be trusted when a control fails. A consultant with an undisclosed economic or competitive tie ends up protecting that relationship, not the client paying for the audit. That is why we screen every request before the first meeting, not after signing.
What we exclude, without exception
We decline any engagement where, at the time of review, any of the following circumstances exists:
- An active contractual relationship between a team member and the requesting organization. If anyone on the team holds full-time employment or a retained consulting arrangement with the prospect (or with a direct competitor of the prospect) we do not take the engagement. This exclusion is declared up front and admits no exceptions.
- Competitive overlap between clients. We do not simultaneously operate the control systems of two direct competitors in the same market and the same time window when knowledge of one would compromise neutrality toward the other.
- Disproportionate economic dependence. We structure the portfolio so that no single client represents a share of revenue large enough to compromise our ability to raise an uncomfortable finding or to decline a renewal.
- Incompatible dual role. We do not design a control and then audit it as though we were an independent third party. When we support the QSA or the certification body, we do so declaring our advisory role, never substituting the auditor's sovereign assessment.
Reference framework
The standard we apply derives from the guidelines of ISACA, EC-Council and the PCI SSC Code of Professional Responsibility. The standard comes from those bodies; the decision to decline is ours, and we own it in writing.
Log of declined engagements
Every time we turn down an engagement over an independence conflict, we log it: date, reason for declining and conflict category, without exposing any prospect data. That log remains auditable by any active client under NDA. It is how we demonstrate that independence is not a marketing claim but a practice backed by evidence.
Why we publish this
A specialist firm that handles regulated information from payment processors, fintechs and companies under the supervision of Peru's banking regulator (SBS) or the data protection authority (ANPDP) needs its independence to be verifiable, not assumed. Publishing the criteria in advance lets a buyer rule out the conversation in thirty seconds if they spot a conflict we would spot too. We would rather lose that meeting than lose our neutrality.
Unsure about a possible conflict before reaching out? Raise it directly in the first conversation. If there is overlap, we'll say so on that same call.