Governance, Risk & Compliance

On this page

• Consulting and Advisory
• Physical Security Assessments
• Audits

Our GRC consultants have a deep understanding of the information security risks facing organisations today, and extensive experience in risk management, assurance, governance and certification & accreditation. They can help you identify and manage these risks based on your requirements. We provide a pragmatic approach by tailoring our services to your requirements to help you achieve your goals in the most efficient way.

Our team of consultants hold a variety of professional qualifications including CISSP, COBIT, ITIL, OSCPs, PCI QSAs, ISO 27001 Lead Auditors, CISA, CISSP, CISM, and SABSA certified consultants.

Consulting and Advisory

vCISO

Our virtual Chief Information Security Officer (vCISO) provides you with senior security advisory services to support your leadership team in improving the security of your business. We will create a programme of work with you to suit your needs, which can include:

• Lead security improvement programmes
• Work with business leaders to understand and mitigate risk
• Engage with your suppliers and customers
• Act as an escalation point for security queries
• Provide you with expert and pragmatic advice to make risk-based business decisions

vITSM

A virtual information technology security manager (vITSM) provides organisations with the skills to assist with the implementation, maintenance, and measurement of technical security controls. An ITSM acts as a conduit between the CISO’s strategic directions and the technical efforts of systems administrators. Our vITSMs are leaders with strong technical skills who can prioritise remediation activities, provide guidance on how to implement security controls, and identify additional assurance activities that might be required.

PSR Programme Lead

The Protective Security Requirements (PSR) is a policy framework outlining what government organisations must do to manage security effectively. It covers security governance, physical security, personnel security and information security. All organisations that work with government information, including private companies, should consider assessing themselves against the PSR. Our Programme Lead engagement will:

• Conduct a gap analysis to understand your strengths and weaknesses
• Develop a programme of work, and support you to achieve your desired security state
• Provide ongoing advice and guidance to help your teams implement the programme

ISO27001 Preparation

Certification against ISO/IEC 27001 is one of the best ways to signal to your customers and stakeholders that you take information security seriously and have achieved a level of operational security across a range of areas. We can support your preparation for a certification against ISO27001 by providing readiness assessments, advisory services, implementation planning and preparation testing for the audit itself including a pre-audit by our certified auditors. Our ISO27001-derived controls catalogue will indicate your level of maturity against each control, and we will provide you with pragmatic guidance on how best to improve your security posture.

Maturity Assessment

A security maturity assessment involves our expert consultants working closely with you to understand your operating context, assess your control implementation and identify your current and target maturity level in each domain. We will then prepare a set of recommended activities you could carry out to reach that state. A maturity assessment provides a good basis for preparing a security roadmap, and we can assess against common security controls framework including:

• CERT NZ Critical Controls
• ISO 27001
• NIST
• NZISM
• Protective Security Requirements (PSR)

Security Health Check

A Security Health Check is a business-focused holistic risk assessment of your security posture. It best suits small and medium sized businesses who are at the start of their security journey. Our professional consultants will work with you to understand your business context and priorities, identifying any risks to your business and suggesting controls to reduce that risk. The Security Health Check is not a full audit but will provide you with a snapshot of how securely your business is operating. It covers:

• The security posture of your people, processes and technology
• The software, firmware, and hardware versions in use, and any known vulnerabilities
• Your access control practices

Supply Chain Vendor Assessments

Third party risk management and supply chain due diligence is important for both public sector and private sector organisations. While third party risk management tools exist to identify and mitigate risks, it is essential to align these tools with your broader risk management framework to ensure efficient and cohesive risk mitigation. Our security consultants will work with you to:

• Establish guidelines for identifying, assessing, monitoring, and measuring the security risks associated with your third party providers
• Categorise them into risk-based tiers and profiles
• Define specific information security requirements and baseline assurance activities for your third parties to meet

Architecture and Design Reviews

Architecture and design reviews are used to ensure that security requirements have been defined and will be satisfied before a solution is placed into production. We can assess your proposed solution against an industry or government standard, or against vendor security practices and security guidelines.

Telecommunications-as-a-Service (TaaS)

We can provide independent security assurance for TaaS providers including scope endorsement, threat assessments and conducting the required technical testing and assurance activities. We can also help you with Taas Annual Assurance reviews to ensure you remain certified.

Physical Security Assessments

Physical security is a combination of physical and procedural measures designed to prevent or reduce threats to people, information and assets. It complements other security measures such as communications and ICT security. Our team of dedicated and competent security consultants are practiced in assessing the risks and controls relating to physical security. We can assess your data centre or office, and offer assessments for executives and high-net-worth individuals to ensure they receive appropriate physical security measures.

Audits

Marketplace Audits

We can assist you, as a Service Provider, with your Tier 1 and Tier 2 Marketplace certification audits. We utilise a checklist audit similar to SOC 2 Type II, conduct comprehensive security assurance evaluation to ensure you meet the compliance standards, and can guide you through a formal Lead Agency defined scope endorsement process. With our tailored approach and expertise, you will obtain the required security artefacts to complete your Marketplace application requirements.

SWIFT Customer Security Controls Framework (CSCF) Audits

The SWIFT CSCF describes a set of mandatory and advisory security controls for any party connecting to the SWIFT banking network. SWIFT users are required to report their compliance annually. Our qualified consultants can help you by providing an independent Community Standard Assessment to identify your level of compliance against the current version, and even assist you with the submission of compliance status to SWIFT via the online KYC (Know Your Customer) Registry Security Attestation application.

ISO 27001 Internal Audit

We can provide internal audits at planned intervals as an outsourced internal function. The internal audit function is a requirement under the ISO27001 standard and aims to identify deficiencies which could impact the ability to gain external certification. We will assess the current people, processes and technology in place for managing your Information Security Management System against the requirements of ISO/IEC 27001:2022. Our ISO 27001 Lead Auditors are specially trained to identify non-conformities, so we are confident you’ll have the information and recommendations presented to you. This will set you up for success for the external certification audit. The output of the audit will be a formal report available for management review and evidence of the internal audit programme.