Path 1 · Diagnostics & strategy

Your board approved a security budget and no one knows exactly where to invest it.

When it's unclear where you are on the compliance curve, what's missing to satisfy your local regulator, or where to start investing — 2PSECURE's first deliverable is a diagnosis. Not a generic PDF: it's a Maturity Assessment and a Gap Assessment against concrete frameworks (SBS 504-2021, PCI DSS v4.0.1, ISO 27001:2022) with a budgetable three-horizon roadmap.

Your situation

You're probably here for one of these reasons

The regulator announced something new. An SBS resolution, a compliance schedule, a new open-banking requirement — and you need an institutional position before the next board meeting.
There's approved budget but no prioritization. The board said yes. Now you have to decide what to tackle first, what to defer, and why.
There's a certification or audit on the horizon. PCI DSS, ISO 27001, a regulatory audit — and you need to know how much real work is ahead before committing to a date.
An incident or major finding occurred. Something happened. You have to rebuild trust with the board, regulator or parent entity with a credible plan, not an improvised reaction.

Our approach

Workshops with people who know, not an email survey

The assessment is built in directed workshops with your IT, Risk and Operations teams — because what's documented in a policy and what actually happens in practice almost always differ. Those two points are what cross in the report: where practice is better than documentation, where it's worse, and what decision to make in each case.

Frameworks we assess against

Three references, one unified view

SBS Resolution 504-2021 — for institutions supervised by Peru's Superintendencia de Banca, Seguros y AFP.
PCI DSS v4.0.1 — for any organization that stores, processes or transmits card data.
ISO 27001:2022 — for the information-security management system, aligned with international practice.

Gaps are reported in a unified view: the same finding appears mapped to all three frameworks when applicable, instead of three separate reports your team then has to reconcile.

What we deliver

Verifiable documentation, not opinions

Maturity report by domain — current level and target level, with documented justification.
Regulatory gap matrix — what's missing, why it matters, how costly it is to close.
Three-horizon roadmap:
- Immediate actions (0-3 months) — closing high-risk findings or short-deadline regulatory demands.
- Reinforcement (3-12 months) — raising the floor of control without requiring transformation.
- Sustained maturity (12-24 months) — the path to reach the target level.
Executive presentation ready for the board — without unnecessary jargon, with investment figures and return horizon.

What changes for you

Faster decisions, better-invested budget

The board approves with judgment: it knows what it's prioritizing and why.
The regulator finds an articulated plan in the first conversation, not a promise.
Budget goes to what moves the needle, not what's easy to execute.
The next phase — whether implementation with us or another provider — starts with clear, costed scope.

Next step

A 30-minute conversation to understand where you are

We don't need a closed scope to start talking. A 30-minute meeting is enough to know whether a 2PSECURE diagnostic fits your moment.

Let's talk about your diagnostic