We audit your IT,
we clarify your options,
we help you make decisions.

An independent IT audit is a structured assessment of your IT infrastructure, cybersecurity posture, and governance practices. Conducted by a CISA-certified consultant using NIST-CSF, COBIT, and ISO 27001 frameworks, it delivers an executive summary and technical detail with prioritized recommendations. Factero works with your IT team, not instead of them. Environments we commonly audit: Microsoft 365, Azure, Entra ID, Google Workspace, AWS, Fortinet, SonicWall, Cisco Meraki, VMware, Hyper-V, Proxmox, Veeam, Acronis, Datto.

An IT budget audit is an independent review of your invoices, contracts, and technology spending. Factero analyzes your actual costs, identifies overcharges, duplicates, and unjustified renewals, then delivers concrete renegotiation or rationalization recommendations. Independent of your vendors, the analysis is driven by no commercial interest. Most organizations overpay — or pay wrong — without the visibility to catch it.

A vCIO (Virtual Chief Information Officer) is a part-time IT leadership service, recurring and client-side. Factero handles technology governance, decision preparation, and IT vendor oversight — without a permanent hire. This service is primarily for organizations without an IT director, but it can also complement an existing internal resource on the governance side.

Interim IT management is a temporary, full-scope takeover of your organization's IT function. Factero steps in when the IT director position is vacant — departure, leave, restructuring — to ensure operational continuity, oversee vendors, and prepare technology decisions. That's exactly what an interim mandate is built for: preventing the organization from losing altitude without IT leadership.

IT counter-expertise is an independent opinion on a quote, recommendation, or technology proposal you've received. Factero analyzes the document, verifies technical and financial coherence, and gives you an independent opinion: Factero has no stake in the vendor being evaluated or in the solution proposed. When something feels off about what you've been proposed, counter-expertise is exactly what you need.

A backup restore test is a concrete, documented verification of your organization's ability to recover its data in the event of an incident. Factero performs real restores in an isolated environment, measures actual RPO and RTO, and produces a detailed report. For organizations that want to go further, the engagement can be extended to recovery readiness (BCP/DRP): business impact analysis, continuity strategies, failover procedures, simulation exercises. Most organizations trust their MSP's dashboard — but 'green status' doesn't say anything about what happens the morning you actually need to resume operations.

IT incident recovery is a structured engagement that follows the technical stabilization of a cyber or IT incident. Factero validates that the recovery is complete, the root cause has been identified, and that fixes were actually applied — following the NIST Incident Response framework. The pressure to get back to 'normal' is intense, but 'normal' is often what allowed the incident in the first place.

IT strategic planning is a roadmap that aligns your technology investments with your organization's objectives. Factero produces a realistic 3-to-5-year plan — project prioritization, budget forecasts, deployment timeline — based on the actual state of your infrastructure, not a generic template. Without a roadmap, IT purchases happen one at a time and technology ends up slowing the organization down instead of supporting it.

IT vendor management is an independent engagement to evaluate, oversee, or renegotiate your relationships with technology providers. Factero steps in when the relationship isn't working — or before it derails — to analyze contracts, service levels, and costs, then recommend the best course: switch, stay, or fix. The analysis is independent: Factero resells nothing and receives no commission from any software vendor, MSP or integrator.

An IT and cybersecurity expert witness is an independent professional who intervenes in litigation to make technical issues clear and verifiable before a court. Factero produces structured expertise reports, analyzes digital evidence, and testifies in court when needed. Factero's principal associate holds the CISA certification (ISACA), internationally recognized for information systems auditing.

Law 25 compliance is a structured engagement to implement the obligations of Quebec's Act respecting the protection of personal information in the private sector, on the IT and governance side. Factero performs data mapping, implements incident management and access request processes, and secures your systems. Important: this service covers the IT side — we don't replace legal advice, but work in collaboration with your legal team.

The SME Offer is a structured IT diagnostic designed for small and medium-sized businesses that need a clear answer to one or two specific questions — without launching a full engagement. Factero structures the session, analyzes your situation, and delivers a concrete opinion in under 2 hours. One price: $399. Important: this service is an opinion, not an intervention. The only technical actions are observations — reading a configuration, analyzing an environment, evaluating a quote. No corrective action is included. You leave with a clear opinion to inform your decision, not with a technician who modified your systems. Your issue is already well-defined? Write to us directly — no preliminary call needed to get started.

Factero's Human Resources service coordinates HR and IT challenges within a single engagement — Law 25 employee compliance, IT-HR policies, pay equity, and French Language Charter (Bill 96) obligations. Our HR partners (30+ years of experience) work in tandem with our IT team to eliminate inconsistencies between your systems and your policies. One point of contact, zero parallel mandates to manage. Three tracks available depending on your situation: HR compliance (Law 25, policies, remote work, BYOD), language compliance (Bill 96), and pay equity.

HR compliance is an engagement that covers the employee side of Quebec's Law 25 (privacy legislation), internal policies (remote work, BYOD, confidentiality), and the designation of your Privacy Protection Officer (PPO). Factero coordinates our HR partners and our IT team to ensure your policies account for your actual infrastructure — not just abstract legal requirements. The result: enforceable policies, a documented PPO mandate, a training plan, and Law 25 compliance that doesn't stop at theory.

Law 27 compliance is an engagement that covers the linguistic obligations imposed by Quebec's French Language Charter on IT tools, software, internal communications, and employment contracts. Factero leads compliance on the IT side: inventory of subject tools, gap assessment, compliance plan, and corrective follow-up. Our HR partners contribute to the communications and internal policy components. This service is designed for companies with 25+ employees in Quebec — whether you're anticipating an OQLF inspection or simply want to comply proactively.

Pay equity is a mandatory exercise for any Quebec organization with 10 or more employees, governed by the Pay Equity Act and the CNESST. The initial exercise is required as soon as the threshold is reached, maintenance is due every 5 years, and deadlines run from the organization's creation date — not from when you find out. Factero's HR partners carry out the exercise with you: job category evaluation, compensation comparison, compliance report, and mandatory posting. The IT team intervenes when payroll systems or HR tools are involved to ensure consistency between data and conclusions.

IT director recruitment is a support service that starts with defining the right profile — built from your actual IT environment, not a generic template. Valérie Gravel (CRHA), Factero's HR partner specializing in IT executive search, leads the process end-to-end: technology context audit, profile drafting, candidate sourcing, evaluation, and onboarding. This service is particularly suited for organizations coming out of a Factero interim or vCIO mandate — the profile is defined from concrete knowledge of your environment, not a theoretical job description.

ISO 27001 certification support is a structured engagement that takes your organization from starting point to certification recommendation by an accredited third-party body. Factero leads the process: gap analysis, building the Information Security Management System (ISMS), drafting policies, implementing the 93 Annex A controls, internal audit, and management review. We prepare — we don't certify. The certification body (BSI, DNV, Bureau Veritas, SGS, Intertek, etc.) remains an independent accredited third party, as it must be. Engagement led by a CISA-certified principal associate, grounded in ISO 27001:2022, ISO 27002:2022, and NIST-CSF frameworks.

CAN/DGSI 104 certification support is a structured engagement that takes your organization from initial assessment through to certification recommendation by an accredited third-party body, under the CyberSecure Canada program. The standard specifies 18 core cybersecurity controls (55 sub-controls) organized across Sections 5 and 6 of the document, with two levels of requirements (Level 1 and Level 2). The Rev 1:2024 revision clarified the distinction between Level 1 and Level 2 across six areas: cybersecurity training, risk assessment, incident response plan, secure configuration process, data backups, and cloud / outsourced IT services. Factero leads the process: level selection (1 or 2), gap analysis, control implementation, documentation, internal audit, support through the certification audit, and preparation of the 12-month maintenance audit. We prepare — we don't certify. The certification body, accredited by the Standards Council of Canada (SCC) under ISO/IEC 17021-1, remains an independent third party. Engagement led by a CISA-certified principal associate, with CAN/DGSI 104:2021 Rev 1:2024 as the target standard and NIST-CSF as supporting framework for risk prioritization.

SOC 2 readiness support is a structured engagement that prepares your organization for the examination conducted by an independent CPA firm and for obtaining a SOC 2 report aligned with the AICPA's Trust Services Criteria (TSC) 2017 (with revised points of focus in 2022). Factero leads the client-side process: report type selection (Type 1 or Type 2) and criteria selection (Security mandatory, plus Availability, Processing Integrity, Confidentiality, Privacy), gap analysis, control implementation, System Description drafting, internal audit, and support through the CPA examination. We prepare — we don't issue the report. The SOC 2 report is issued exclusively by an independent CPA firm in accordance with AICPA SSAE No. 23 standards. That's what gives it value. Engagement led by a CISA-certified principal associate, with TSC 2017 as the target and NIST-CSF as supporting framework.

CPCSC certification support (Canadian Program for Cyber Security Certification, in French PCCC) is a structured engagement preparing your organization for the cyber requirements imposed by Public Services and Procurement Canada (PSPC) on Defence contracts. The program was announced on March 12, 2025 by PSPC, and its technical reference document ITSP.10.171 (Protection of Designated Information in Organizations and Systems Outside the Government of Canada) was published by the Canadian Centre for Cyber Security with an effective date of April 2, 2025. The program provides for three certification levels: Level 1 (self-assessment, 13 foundational security requirements), Level 2 (third-party assessment, 97 complete controls), and Level 3 (conducted by the Canadian government, reserved for very high-risk scenarios). Factero leads the process: level selection, gap analysis against the ITSP.10.171 standard, implementation of missing controls, documentation, self-assessment (Level 1) or third-party certification preparation (Level 2) by a body accredited by the Standards Council of Canada (SCC). We prepare — we don't certify. Level 2 certification is issued by an independent assessment body accredited under ISO/IEC 17020. Engagement led by a CISA-certified principal associate, with ITSP.10.171 as the target and NIST SP 800-171 Rev. 3 as direct reference (to be distinguished from US CMMC which is based on Rev. 2 — see dedicated FAQ). Factero is itself certified PCCC Level 1 based on ITSP.10.171 (attestation valid from 2026-05-19 to 2027-05-19) — we apply to our own organization the same federal cybersecurity framework we guide our clients toward, with the same consistency as for our own corporate CyberSecure Canada (CAN/DGSI 104:2021 / Rev 1: 2024) certification. Proof available on request via our Trust Center.

TGV certification support (Trousse globale de vérification — Global Verification Kit) is a structured engagement that takes your technology product or service from self-declaration through to the conformity attestation issued by the Bureau de certification et d'homologation (BCH) of MSSS / Santé Québec. Factero leads the vendor-side process: reading and prioritizing the 254 criteria at the time of writing across 4 domains (security, privacy, performance, technology), preparing documentation, implementing missing controls, coordinating the penetration test, pre-submission review, and support through the external verification firm's assessment (30 business days). The TGV evolves regularly — Factero actively monitors MSSS work and anticipates future versions so the frameworks we build with clients hold up over time. We prepare — we don't certify. The certification is issued exclusively by the BCH, following independent verification. Engagement led by a CISA-certified principal associate, with LPRPSP (Law 25), LADOPPRP, the MSSS User Identification Normative Framework, and NIST-CSF as supporting frameworks.

Edtech compliance support is a structured engagement preparing your technology product or service for the Quebec school sector to meet the information security requirements imposed by school service centers (CSSs), the Quebec Ministry of Education (MEQ), and their reference frameworks. Factero leads the vendor-side process: reading applicable regulatory frameworks (LGGRI, Government Directive on Information Security, Law 25, CSS-specific requirements), gap analysis, evidence drafting, support during evaluations by your CSS clients. Our role is not to replace a certification — there is no official Edtech certification equivalent to health's TGV. Our role is to structure your security setup and documentation to respond honestly and effectively to contractual requirements that have hardened since 2023. Engagement led by a CISA-certified principal associate, with NIST-CSF, ISO 27002, and applicable provincial frameworks as supporting references.

Cyber insurance support is a structured engagement that prepares your organization to correctly answer the underwriting or renewal requirements of a cyber insurance policy. Factero reviews insurer questionnaires with you, identifies the gaps between your actual posture and what you're tempted to declare, recommends corrective actions before submission, and supports you through exchanges with your broker or insurer. We don't sell insurance. We earn no commission. Our only interest is that your policy actually protects you when you need it — and that it isn't voided for misrepresentation the morning of the incident.

A crisis tabletop exercise is a facilitated simulation of a major incident — ransomware, disaster, loss of a critical supplier, internal fraud, data breach — played around a table with your leadership, IT team, and key partners. Factero designs a realistic scenario adapted to your industry, runs it hour by hour, documents the decisions made and the blind spots exposed, and delivers a report, prioritized action plan, leadership readout, and formal attestation transmissible directly to your cyber insurer. The exercise can stand alone or fit within a broader engagement (BCP/DRP, ISO 27001 / CAN/DGSI 104 / SOC 2 certification, cyber insurance support). No plan survives first contact with a real incident unless tested — the point of the tabletop is to surface the surprises in the meeting room, not in the middle of the chaos.

ISO/IEC 42001:2023 is the first international standard for an Artificial Intelligence Management System (AIMS), published in December 2023. It applies to organizations that develop, provide, or use AI systems, and requires a structured framework to manage transparency, accountability, bias, security, and privacy across the AI system lifecycle. Factero supports two profiles of organizations: those pursuing ISO 42001 certification as a standalone effort, and those approaching it as a natural extension of an existing ISO 27001 program. The two standards are deliberately aligned in structure (same Annex SL, risk-based approach, Statement of Applicability), allowing a large portion of the existing framework to be reused. (Source: ISO/IEC 42001:2023, published by ISO and IEC.)