Tomás Miguel Herrero

Led ISO 27001:2022, ISO 27701, ENS (Spain), and Omologazione (Italy) certifications, integrating information security and privacy into a unified ISMS deployed across 14 countries in LATAM and EMEA. Coordinated internal and external audits achieving on-time certification. Drove PCI DSS v4.0 compliance for ticketing payment infrastructure, managing the QSA audit process and obtaining certification as Merchant and Service Provider. Designed an enterprise-wide Compliance Management System based on the Three Lines of Defense model, defining roles, controls, and governance structures. Developed and implemented a Criminal Liability Prevention Model (MPDP), establishing risk maps, internal controls, disciplinary protocols, and reporting channels to mitigate corporate criminal exposure across all operating jurisdictions.

Developed and enforced AML/CFT compliance policies, including risk assessments, transaction monitoring, CDD/EDD measures, and SAR filings. Managed ISMS and ISO 27001/27701 certifications, ensuring compliance with data protection standards and achieving a 20% reduction in security incidents. Led compliance risk management by establishing RCSA matrices, conducting gap analyses, and executing remediation plans, resolving 80% of audit findings. Implemented a control framework under the Three Lines of Defense model, using a RACI matrix to define roles for risk ownership, oversight, and independent assurance across the organization.

Provided regulatory compliance and risk management advisory across agribusiness, retail, pharmaceuticals, and energy, ensuring adherence to sector-specific regulations, governance frameworks, and international standards. Optimized financial compliance in the agribusiness sector through transaction monitoring, supply chain due diligence, and regulatory assessments, achieving a 70% improvement in audit conformity. Automated regulatory controls in the retail industry via BPMN, enhancing workflow standardization and audit traceability, resulting in a 25% reduction in compliance deviations. Developed enterprise risk frameworks in the pharmaceuticals sector, integrating quantitative risk modeling and internal control structures to mitigate 85% of systemic compliance risks. Implemented compliance training programs across the energy industry, strengthening regulatory awareness, audit procedures, and risk mitigation strategies throughout all operating jurisdictions.