On this page
Our GRC consultants have a deep understanding of the information security risks facing organisations today, and extensive experience in risk management, assurance, governance and certification & accreditation. They can help you identify and manage these risks based on your requirements. We provide a pragmatic approach by tailoring our services to your requirements to help you achieve your goals in the most efficient way.
Our team of consultants hold a variety of professional qualifications including CISSP, COBIT, ITIL, OSCPs, PCI QSAs, ISO 27001 Lead Auditors, CISA, CISM, and SABSA certified consultants.
Consulting and Advisory
vCISO
Our virtual Chief Information Security Officer (vCISO) provides you with senior security advisory services to support your leadership team in improving the security of your business. We will create a programme of work with you to suit your needs, which can include:
- Lead security improvement programmes
- Work with business leaders to understand and mitigate risk
- Engage with your suppliers and customers
- Act as an escalation point for security queries
- Provide you with expert and pragmatic advice to make risk-based business decisions
vITSM
A virtual information technology security manager (vITSM) provides organisations with the skills to assist with the implementation, maintenance, and measurement of technical security controls. An ITSM acts as a conduit between the CISO’s strategic directions and the technical efforts of systems administrators. Our vITSMs are leaders with strong technical skills who can prioritise remediation activities, provide guidance on how to implement security controls, and identify additional assurance activities that might be required.
PSR Programme Lead
The Protective Security Requirements (PSR) is a policy framework outlining what government organisations must do to manage security effectively. It covers security governance, physical security, personnel security and information security. All organisations that work with government information, including private companies, should consider assessing themselves against the PSR. Our Programme Lead engagement will:
- Conduct a gap analysis to understand your strengths and weaknesses
- Develop a programme of work, and support you to achieve your desired security state
- Provide ongoing advice and guidance to help your teams implement the programme
ISO27001 Preparation
Certification against ISO/IEC 27001 is one of the best ways to signal to your customers and stakeholders that you take information security seriously and have achieved a level of operational security across a range of areas. We can support your preparation for a certification against ISO27001 by providing readiness assessments, advisory services, implementation planning and preparation testing for the audit itself including a pre-audit by our certified auditors. Our ISO27001-derived controls catalogue will indicate your level of maturity against each control, and we will provide you with pragmatic guidance on how best to improve your security posture.
Maturity Assessment
A security maturity assessment involves our expert consultants working closely with you to understand your operating context, assess your control implementation and identify your current and target maturity level in each domain. We will then prepare a set of recommended activities you could carry out to reach that state. A maturity assessment provides a good basis for preparing a security roadmap, and we can assess against common security controls framework including:
- CERT NZ Critical Controls
- ISO 27001
- NIST
- NZISM
- Protective Security Requirements (PSR)
Security Health Check
A Security Health Check is a business-focused holistic risk assessment of your security posture. It best suits small and medium sized businesses who are at the start of their security journey. Our professional consultants will work with you to understand your business context and priorities, identifying any risks to your business and suggesting controls to reduce that risk. The Security Health Check is not a full audit but will provide you with a snapshot of how securely your business is operating. It covers:
- The security posture of your people, processes and technology
- The software, firmware, and hardware versions in use, and any known vulnerabilities
- Your access control practices
Supply Chain Vendor Assessments
Third party risk management and supply chain due diligence is important for both public sector and private sector organisations. While third party risk management tools exist to identify and mitigate risks, it is essential to align these tools with your broader risk management framework to ensure efficient and cohesive risk mitigation. Our security consultants will work with you to:
- Establish guidelines for identifying, assessing, monitoring, and measuring the security risks associated with your third party providers
- Categorise them into risk-based tiers and profiles
- Define specific information security requirements and baseline assurance activities for your third parties to meet
Architecture and Design Reviews
Architecture and design reviews are used to ensure that security requirements have been defined and will be satisfied before a solution is placed into production. We can assess your proposed solution against an industry or government standard, or against vendor security practices and security guidelines.
Telecommunications-as-a-Service (TaaS)
We can provide independent security assurance for TaaS providers including scope endorsement, threat assessments and conducting the required technical testing and assurance activities. We can also help you with Taas Annual Assurance reviews to ensure you remain certified.
Physical Security Assessments
Physical security is a combination of physical and procedural measures designed to prevent or reduce threats to people, information and assets. It complements other security measures such as communications and ICT security. Our team of dedicated and competent security consultants are practiced in assessing the risks and controls relating to physical security. We can assess your data centre or office, and offer assessments for executives and high-net-worth individuals to ensure they receive appropriate physical security measures.
Audits
Digital Identity Services Trust Framework Accreditation
Bastion conducts comprehensive independent security evaluations ensuring alignment with the Digital Identity Services Trust Framework Rules. This evaluation verifies that the Trust Framework Authority’s security requirements are met through a risk-based analysis of controls designed to mitigate identified security risks. As required by the Trust Framework Authority, this evaluation is critical for providers seeking accreditation, confirming conformance with rules and regulations for digital identity services. Our evaluations deliver clear insights, providing a robust foundation for compliance, accreditation and confidence in digital identity services.
Marketplace Audits
We can assist you, as a Service Provider, with your Tier 1 and Tier 2 Marketplace certification audits. We utilise a checklist audit similar to SOC 2 Type II, conduct comprehensive security assurance evaluation to ensure you meet the compliance standards, and can guide you through a formal Lead Agency defined scope endorsement process. With our tailored approach and expertise, you will obtain the required security artefacts to complete your Marketplace application requirements.
SWIFT Customer Security Controls Framework (CSCF) Audits
The SWIFT CSCF describes a set of mandatory and advisory security controls for any party connecting to the SWIFT banking network. SWIFT users are required to report their compliance annually. Our qualified consultants can help you by providing an independent Community Standard Assessment to identify your level of compliance against the current version, and even assist you with the submission of compliance status to SWIFT via the online KYC (Know Your Customer) Registry Security Attestation application.
ISO 27001 Internal Audit
We can provide internal audits at planned intervals as an outsourced internal function. The internal audit function is a requirement under the ISO27001 standard and aims to identify deficiencies which could impact the ability to gain external certification. We will assess the current people, processes and technology in place for managing your Information Security Management System against the requirements of ISO/IEC 27001:2022. Our ISO 27001 Lead Auditors are specially trained to identify non-conformities, so we are confident you’ll have the information and recommendations presented to you. This will set you up for success for the external certification audit. The output of the audit will be a formal report available for management review and evidence of the internal audit programme.
Privacy Impact Assessments
A Privacy Impact Assessment (PIA) is a systematic review process used to assess the potential impact of new projects, initiatives, or systems on individual privacy rights. It involves evaluating the collection, use, and handling of personal information to identify and address privacy risks and ensure compliance with relevant privacy laws and regulations. The PIA aims to safeguard privacy, promote transparency, and foster trust between organisations and individuals by proactively addressing privacy concerns throughout the project lifecycle.