We safeguard your organization's compliance and security
Audit, anti-money laundering prevention, and cybersecurity under one team, with the regulatory rigor of SARLAFT and SAGRILAFT and a secure-development approach aligned with ISO 27001.
- 6 specialized service lines
- Colombia, with expansion underway to Peru and Ecuador
- Approach aligned with ISO 27001
Seven service lines, one team
Comprehensive coverage in regulatory compliance, audit, and cybersecurity, designed for regulated organizations.
SARLAFT
Money Laundering/Terrorist Financing Risk Management System: diagnosis, design, and implementation in line with current regulations.
SAGRILAFT
Self-Control and Risk Management System for money laundering, terrorist financing, and WMD financing, for real-sector companies.
Cybersecurity
Information protection and secure development, aligned with ISO 27001.
Audit
Internal, external, and compliance audits using rigorous, objective methodologies.
Compliance
Tailored regulatory compliance programs, built to last.
Security
Physical and information security integrated into business operations.
SOC Reports
SOC 1 and SOC 2 reports under AICPA standards, for enterprise clients that require audited evidence of your controls.
Specialists in compliance, audit, and cybersecurity
We are a Colombian firm that supports regulated organizations in managing their compliance and security risks, combining deep SARLAFT and SAGRILAFT regulatory knowledge with a technical, secure-development approach.
- A multidisciplinary team across law, audit, and technology.
- Methodologies aligned with international standards, including ISO 27001.
- Hands-on support, from diagnosis through implementation.
We believe compliance and security aren't a burden: they're a competitive advantage when managed with the right rigor.
Compliance and security, in the field
Growing regional presence
We currently operate from Colombia, with expansion underway toward Peru and Ecuador.
Colombia
Active officeHead office and core operations team.
Peru
Coming soonExpansion underway.
Ecuador
Coming soonExpansion underway.
Let's talk about your organization's needs
Schedule a conversation with our team and discover how to strengthen your organization's compliance and security.
Contact us →Industries we serve
Sector expertise in the industries with the highest regulatory and security demands.
SARLAFT and SAGRILAFT, with a secure-development approach
While many firms offer audit or cybersecurity separately, at Bardona we combine deep SARLAFT and SAGRILAFT expertise with a secure-development approach aligned with ISO 27001 — a combination built for organizations facing regulatory and technological demands at the same time.
Explore the service →- Regulatory diagnosisAssessment of your current standing against SARLAFT and SAGRILAFT.
- Tailored implementationPolicies, risk matrices, and procedures tailored to your operation.
- Ongoing monitoringPost-implementation support to sustain compliance.
What we're seeing in the field
The most common mistakes when preparing for a SARLAFT audit
Most findings we see don't come from missing policies — they come from nobody actually applying them day to day. Before an audit, it's worth checking whether your AML/CTF risk matrix reflects how the company operates today, not how it operated two years ago.
View SARLAFT service CybersecuritySecurity by design: what it actually means in practice
It isn't bolting on a control at the end of the project. It's including risk assessment at the design stage, before a single line of code is written, so fixing a problem costs hours of adjustment instead of months of rewriting.
View Cybersecurity service SOC ReportsSOC 2 isn't a certification: what to know before you start
A SOC report is an audit report, not a seal. That changes how you should prepare: documented evidence matters as much as the control itself, and a Type II report requires several months of observed operation, not a single-day snapshot.
View SOC Reports serviceWhy choose us
-
SARLAFT and SAGRILAFT expertise
Deep, up-to-date regulatory knowledge in AML/CTF prevention, applied by a team that audits against these frameworks routinely — not as an occasional service line.
-
Secure development and ISO 27001
Cybersecurity is built in from the design stage, not bolted on afterward: our secure-lifecycle approach is aligned with ISO/IEC 27001.
-
Regional vision
An operating base in Colombia, with expansion underway toward Peru and Ecuador — built for clients who need the same compliance standard across several countries.
-
Multidisciplinary team
Legal, audit, and technology profiles working in an integrated way on every project, rather than coordinating across separate vendors.
Frequently asked questions
We answer the most common questions before you start a project with us.
How long does a typical audit or compliance project take?
It depends on scope, but an initial diagnosis usually takes 2 to 4 weeks, and a full implementation (SARLAFT, SAGRILAFT, or a cybersecurity management system) takes 2 to 4 months. In our first meeting we give you a concrete timeline for your specific case, not a generic range.
How do you protect the confidentiality of our information?
We sign a confidentiality agreement before receiving any sensitive information, restrict access to client data to the team assigned to the project, and handle personal data in accordance with Colombian Law 1581 of 2012.
What happens if you find a critical finding during the diagnosis?
We tell you immediately — we don't wait for the final report. A high-risk finding warrants a conversation the same day, with a clear containment recommendation while the full action plan is defined.
Do you work with companies outside Colombia?
We currently operate from Colombia and are in the process of expanding to Peru and Ecuador. If your organization has a regional footprint, tell us about your case — a good part of our work is already done remotely with multi-country teams.
Does support end once you deliver the report?
No. We follow up on the implementation of agreed recommendations, and for services like SARLAFT, SAGRILAFT, or SOC reports, support continues through the update and annual renewal cycles.
How does a project with Bardona start?
With a free initial conversation to understand your situation and your actual level of risk. From there we deliver a proposal with a concrete scope, timeline, and fee — no fine print.
Let's take the next step together
Write to us and we'll show you how to strengthen your organization's compliance, audit, and cybersecurity.
Contact Bardona →