On this page

Our GRC consultants have a deep understanding of the information security risks facing organisations today, and extensive experience in risk management, assurance, governance and certification & accreditation. They can help you identify and manage these risks based on your requirements. We provide a pragmatic approach by tailoring our services to your requirements to help you achieve your goals in the most efficient way.

Our team of consultants hold a variety of professional qualifications including CISSP, COBIT, ITIL, OSCPs, PCI QSAs, ISO 27001 Lead Auditors, CISA, CISSP, CISM, and SABSA certified consultants.


Certification and Accreditation (C&A)

C&A is a fundamental governance and assurance process carried out by all New Zealand Government agencies. C&A provides confidence to stakeholders that your information and associated technology is well managed. Our consultants have a great deal of experience conducting C&As on ICT systems to identify the risks, assess that the system complies with the minimum standards and controls described in the NZISM, and that any control deficiencies have been identified, assessed and acknowledged. Our C&A engagement will provide you with a:

  • Security Risk Assessment
  • Controls Validation Plan (note this will be sent to the technical support staff)
  • Controls Validation Audit
  • Security Certificate or an Approval to Operate memorandum

Risk Assessments

Risk assessments are critical for both government agencies and private sector businesses in New Zealand to comprehensively understand, prioritise, and manage information security risks. Our risk assessment will put these threats into context for your business and provide recommendations to manage the risk to a level that is tolerable to you. We work closely with you to:

  • Assess risk for your key information systems
  • Conduct workshops with stakeholders to understand risk scenarios and business impacts
  • Prioritise risks based on significance to your specific business needs
  • Identify a catalogue of appropriate controls for effective risk management

Security Risk Management Plan (SRMP)

A SRMP identify risks, deficient controls, and remediation measures to manage and reduce these risks. Our GRC consultants will work closely with you to identify the risks that have not met their residual risk score, or have deficient controls, and we will outline a treatment and remediation plan for you to address, manage and reduce these risks, improving your system’s overall risk position.

Maturity Assessment

A security maturity assessment involves our expert consultants working closely with you to understand your operating context, assess your control implementation and identify your current and target maturity level in each domain. We will then prepare a set of recommended activities you could carry out to reach that state. A maturity assessment provides a good basis for preparing a security roadmap, and we can assess against common security controls framework including:

  • CERT NZ Critical Controls
  • ISO 27001
  • NIST
  • Protective Security Requirements (PSR)

Security Health Check

A Security Health Check is a business-focused holistic risk assessment of your security posture. It best suits small and medium sized businesses who are at the start of their security journey. Our professional consultants will work with you to understand your business context and priorities, identifying any risks to your business and suggesting controls to reduce that risk. The Security Health Check is not a full audit but will provide you with a snapshot of how securely your business is operating. It covers:

  • The security posture of your people, processes and technology
  • The software, firmware, and hardware versions in use, and any known vulnerabilities
  • Your access control practices

Supply Chain Vendor Assessments

Third party risk management and supply chain due diligence is important for both public sector and private sector organisations. While third party risk management tools exist to identify and mitigate risks, it is essential to align these tools with your broader risk management framework to ensure efficient and cohesive risk mitigation. Our security consultants will work with you to:

  • Establish guidelines for identifying, assessing, monitoring, and measuring the security risks associated with your third party providers
  • Categorise them into risk-based tiers and profiles
  • Define specific information security requirements and baseline assurance activities for your third parties to meet

Architecture and Design Reviews

Architecture and design reviews are used to ensure that security requirements have been defined and will be satisfied before a solution is placed into production. We can assess your proposed solution against an industry or government standard, or against vendor security practices and security guidelines.

Telecommunications-as-a-Service (TaaS)

We can provide independent security assurance for TaaS providers including scope endorsement, threat assessments and conducting the required technical testing and assurance activities. We can also help you with Taas Annual Assurance reviews to ensure you remain certified.

Consulting and Advisory


Our virtual Chief Information Security Officer (vCISO) provides you with senior security advisory services to support your leadership team in improving the security of your business. We will create a programme of work with you to suit your needs, which can include:

  • Lead security improvement programmes
  • Work with business leaders to understand and mitigate risk
  • Engage with your suppliers and customers
  • Act as an escalation point for security queries
  • Provide you with expert and pragmatic advice to make risk-based business decisions


A virtual information technology security manager (vITSM) provides organisations with the skills to assist with the implementation, maintenance, and measurement of technical security controls. An ITSM acts as a conduit between the CISO’s strategic directions and the technical efforts of systems administrators. Our vITSMs are leaders with strong technical skills who can prioritise remediation activities, provide guidance on how to implement security controls, and identify additional assurance activities that might be required.

PSR Programme Lead

The Protective Security Requirements (PSR) is a policy framework outlining what Government organisations must do to manage security effectively. It covers security governance, physical security, personnel security and information security. All organisations that work with government information, including private companies, should consider assessing themselves against the PSR. Our Programme Lead engagement will:

  • Conduct a gap analysis to understand your strengths and weaknesses
  • Develop a programme of work, and support you to achieve your desired security state
  • Provide ongoing advice and guidance to help your teams implement the programme

ISO27001 Preparation

Certification against ISO/IEC 27001 is one of the best ways to signal to your customers and stakeholders that you take information security seriously and have achieved a level of operational security across a range of areas. We can support your preparation for a certification against ISO27001 by providing readiness assessments, advisory services, implementation planning and preparation testing for the audit itself including a pre-audit by our certified auditors. Our ISO27001-derived controls catalogue will indicate your level of maturity against each control, and we will provide you with pragmatic guidance on how best to improve your security posture.

Physical Security Assessments

Physical security is a combination of physical and procedural measures designed to prevent or reduce threats to people, information and assets. It complements other security measures such as communications and ICT security. Our team of dedicated and competent security consultants are practiced in assessing the risks and controls relating to physical security. We can assess your data centre or office, and we offer Ministerial Assessments to ensure Government Ministers receive appropriate physical security measures.


Payment Card Industry (PCI) Audits

Our experienced consultants include Qualified Security Assessors (QSAs), who can assist you with your PCI audit scoping, gap analysis, tabletop exercises Self-Assessment Questionnaire, or identifying any changes between PCI DSS versions that might impact you. We also offer:

  • Pre-audit assistance (identification of issues before the official audit begins)
  • Full audit for clients that require a full Report on Compliance (ROC) and Attestation of Compliance (AOC)
  • Technical security testing including penetration testing, vulnerability scanning, web app assessments and reviews of system configurations and network security rule sets

Marketplace Audits

We can assist you, as a Service Provider, with your Tier 1 and Tier 2 Marketplace certification audits. We utilise a checklist audit similar to SOC 2 Type II, conduct comprehensive security assurance evaluation to ensure you meet the compliance standards, and can guide you through a formal Lead Agency defined scope endorsement process. With our tailored approach and expertise, you will obtain the required security artefacts to complete your Marketplace application requirements.

SWIFT Customer Security Controls Framework (CSCF) Audits

The SWIFT CSCF describes a set of mandatory and advisory security controls for any party connecting to the SWIFT banking network. SWIFT users are required to report their compliance annually. Our qualified consultants can help you by providing an independent Community Standard Assessment to identify your level of compliance against the current version, and even assist you with the submission of compliance status to SWIFT via the online KYC (Know Your Customer) Registry Security Attestation application.

Contact us

Take the next step and talk to us today.