Compliance
They'll ask about your security, so make sure you like the answer
Most businesses are not trying to satisfy every standard. They are trying to answer a buyer, insurer, procurement team, or privacy obligation with confidence. These pages explain what each standard or duty is really asking for, why it matters commercially, and where businesses usually need practical support.
Start with the active requirement
Find the rule, framework, or buyer expectation that is already in the room
These pages explain what each standard is really asking for, why it matters commercially, and where businesses usually need support first
CIS Critical Security Controls
Useful when the business needs a fix-first order and a cleaner answer to 'what should we tighten next?' rather than another abstract security debate.
Read the standard
IPP 12 — Cross-Border Disclosure
Usually becomes relevant when staff or customer data touches offshore cloud platforms, vendors, or overseas partners — and you need to show which arrangements are actually compliant.
Read the standard
IPP 3A — Indirect Collection Notification
Usually lands when personal information reaches you through referrals, reference checks, recruiters, brokers, or other third-party sources — now with a May 2026 deadline attached.
Read the standard
ISO/IEC 27001
Usually appears when a buyer, procurement team, or insurer wants proof security is being run as a managed business function, not just a loose collection of good intentions.
Read the standard
ISO 42001
Usually becomes relevant when a customer, regulator, or board asks for proof the business is governing AI use the same way it governs any other source of risk.
Read the standard
NIST Cybersecurity Framework
Useful when leadership, a customer, or an insurer wants a clearer answer than 'we're working on it' and you need one shared way to explain what is under control.
Read the standard
New Zealand Information Security Manual (NZISM)
Usually comes up when a government customer, agency, or prime contractor stops asking general questions and wants proof you can handle their information the way public-sector buyers expect.
Read the standard
New Zealand Privacy Act 2020
Usually becomes relevant the moment you collect, stores, uses, or shares personal information — which in practice covers almost every NZ business.
Read the standard
SMB 1001
Usually appears when an Australian customer stops accepting 'we take security seriously' and wants tiered, independently-recognised evidence before the next contract signs or renews.
Read the standard
What this actually buys you
The right answer isn't 'we comply'. It's 'here's the file'
A standard only matters when you can hand the asker something they'll accept. The work is finding which standard is actually in the room, and getting the evidence on file before the question lands.
Tell us what your business is being asked to prove
We'll help you separate the obligations that actually apply from the customer asks that don't, and work out what to put on file first