The Challenge

Cybersecurity impacts your entire environment. This means your compliance activities can be complex with many overlapping areas. Compliance can be self-imposed or mandated through regulation or other stakeholder requirements.

It is common to handoff some of your IT requirements to third parties such as cloud providers or IT support companies. Whilst you may have contractual controls in place, how do you really know they are meeting your cybersecurity expectations?

There is no one-size-fits-all model, and your compliance requirements are unique to your organisation.


We can help you understand your compliance requirements and work with you to achieve the level of compliance that you need for your environment.

We work with you wherever you might be in your journey – whether you are wanting to assess your environment and identify where compliance gaps exist, develop a roadmap to close those gaps, or prepare for certification.  We also have a service that can help you manage your compliance activities saving you time and money!

We’ll also work with you to provide an independent assessment of those ‘trusted’ third parties.


Your executives can be assured that your cybersecurity processes have been independently assessed so you have objective feedback and know your true cybersecurity status.

  • You know where you need to focus to meet regulatory and/or stakeholder requirements.
  • You know how well your cybersecurity measures up to a standard.

  • You can provide evidence of your cybersecurity maturity to your insurance provider.
  • You know that your outsourced third parties are meeting your cybersecurity requirements.


This service is designed to help you manage your control compliance lifecycle. It offers a single repository for all your compliance information so that you can more efficiently track control assessment information, undertake compliance activities, and better understand and mitigate your gaps. It is designed to save you time and money and provide you with visibility and a foundation so you can implement a consistent process.

  • A single integrated view for controls, assets, assessment detail, owners, and timeframes.
  • Ability to schedule and alert on compliance deadlines.
  • Holistic view of your status against your specific compliance requirements.
  • Viewpoint of each control and its status based on your most recent assessments.
  • Audibility and traceability of changes to compliance and the impacts of this through dashboards.

Business managers and technical teams don’t always have a clear understanding of what is required to protect both their business and its information assets in an increasingly connected operational environment.

This service provides you with an objective view of your current level of cybersecurity maturity and a pragmatic roadmap to help you raise the bar. Our consultants have extensive experience with various frameworks.

Our service includes the following:

  • A gap analysis determining the shortfalls between your current state and your chosen cybersecurity controls framework.
  • If required, we can help you select an appropriate framework for your organisation.
  • Prioritised recommendations to remediate identified gaps.
  • A full gap analysis review with detailed findings for technical staff, including an executive summary.
  • For a longer commitment including regular reassessment as controls are addressed, we also provide access to our cloud-based tool so you can review your most recent assessment data in real-time.

Organisations may need to demonstrate a level of cyber maturity by becoming certified.

A cybersecurity certification readiness assessment provides you with greater knowledge and understanding of your system’s cybersecurity posture before you involve the certification auditor.

Our consultants work to assist you with the following activities:

  • Assess your system before your official certification assessment to help you identify any areas of concern to be addressed.
  • Provide input on which findings should be prioritised for remediation or mitigation.
  • Create mitigation statements if required.

If you can’t measure it, you can’t improve it!

This service provides you with a detailed assessment to determine the efficacy of information security controls, as a standalone review and report, or as part of formal review of your information security management system (ISMS).

For these engagements we work within your controls framework, risk management, and treatment methodologies.

You will receive:

  • An assessment of the effectiveness of your organisation’s security controls
  • Information that allows a focused and efficient approach to improving your security posture

There is a misconception that cybersecurity threats are limited to technology and online activity, however your physical environment could be equally at risk. When staff are distracted, they may not pay attention to unauthorised people attempting to access restricted areas, or they may leave their unattended computer unlocked.

Our team has significant experience simulating unauthorised access to restricted areas during office hours.

This service assesses how easy it is for an unauthorised person to access your environment.

The three main assessment areas include:

  • physical access to restricted office areas
  • access to an unattended and unlocked computer, including sending an email from it to your security team
  • physical access to a server or equipment room

Following the assessment, we provide you with a report of our findings and recommendations.

Penetration testing is important in helping you understand your application, network, and perimeter-based vulnerabilities that hackers could exploit. Understanding what these gaps are, is the first step towards remediation.

We have partnered with ZX Security to provide you with the following services:

  • External penetration test – Review your presence on the Internet and susceptibility to being compromised, either through misconfigured, unpatched, or insecure servers. Other areas that could be tested include access to administrative interfaces, webmail, and remote access service portals.
  • Internal penetration test – Test whether a consultant can make their way through the network, obtain administrative permissions, and determine if the security team monitoring the network can detect and/or stop the intrusion.
  • Red team engagement – A wide scope test of people and systems for security weaknesses as well as the operational security response to a real-life intrusion.

“During our recent CIS assessment, I was amazed at how quickly Dave L was able to build rapport with my team, and how comfortable and open they were with him whilst he was essentially “picking through their dirty laundry”. This resulted in many valuable deep dive discussions, and a more thorough review of our environment.”

Dave Francis,
NZ Automobile Association

Want to know more about our Compliance Assesments?

Our Partners

  • partner-logo-zx-security