Government Supply Chain
Government buyers don't pick on price. They pick on proof
Security support for NZ suppliers selling into government — built for the 62-question tender questionnaire, the government security standard nobody has costed, and the day the agency decides to use its audit rights.
Sector Reality
The question a customer or insurer asks before the deal
It rarely starts with a breach. It starts with a procurement panel asking where the NZISM-aligned assurance baseline actually lives
Waiting costs more when the contract is MBIE-panelled. A CAM question becomes a revoked pre-qualification. A DIA security clearance review becomes a stop-work. A GCSB-referred supplier assurance question becomes a 90-day cure period. Each one is harder to close than the paperwork that would have prevented it
Common Pressure Points
Where the questions cluster before the deal lands
Where MBIE procurement, DIA clearance, and agency supplier-assurance reviews all ask for the same evidence in subtly different formats
The RFP arrived with 62 security questions attached
A year ago the RFP had five boxes for ISO-style answers. Now there are sixty, and the deadline is still five working days. The firms that win these contracts have the evidence ready. The firms that don't either walk away or write answers that won't survive a single follow-up question.
The government's security manual isn't something you grow into. It's proven on day one
Agencies expect alignment with the NZ Information Security Manual (NZISM) before the contract is signed, not after. For most firms, the gap between where they sit and where the manual expects them to be is months of work. Trying to close it during tender writing means the tender is already lost.
The contract gives the agency the right to audit. Have they used it yet?
Most government contracts include an audit clause. Most suppliers have never had it exercised, so they assume it's dormant. It isn't. When an agency decides to use it, the notice is usually short and the evidence they want is the kind no one produces under pressure.
Your IT provider isn't going to answer the government's security framework for you
Protective Security Requirements (PSR) covers governance, personnel, physical, and information security. Your IT provider runs the technology layer. When the agency reviewer asks who vets your staff, who controls physical access to the comms cabinet, and who signs off on policy changes, your IT provider isn't the one on the hook. You are.
Standards That Apply
The evidence that ends the questionnaire loop
Common obligations and buyer expectations
Relevant Services
First month: baseline, ownership, and one piece of evidence
The first move: an NZISM control baseline, a tested supplier-assurance response, and one piece of evidence for the next CAM refresh
See The Gap Before The Tender Reviewer Does
See what stands between the business and NZISM, PSR INFOSEC, or ISO 27001 before an audit, tender, or government supplier review exposes the gap.
See what an auditor will ask for before they ask
See how ready you are for audit and assemble the evidence before the auditor, customer, or assessor starts the clock.
Stop Rebuilding The Same Evidence For Every Standard
Stop rebuilding the same evidence for every buyer, framework, and audit request by showing where one control can satisfy more than one demand.
Stop rewriting the same questionnaire for every deal
Answer customer and partner security questionnaires without slowing deals down or rebuilding the response every time.
Stop Maintaining Policies Nobody Actually Reads
Put the policies the business actually needs in place, keep them current, and stop policy work turning into an annual scramble.
Remember every security promise across every contract
Keep customer security and privacy obligations in one register so commitments, exceptions, and evidence do not disappear between contracts.
Questions We Hear
The questions every discovery call opens with
We're a small supplier — can we afford to meet government security standards? +
Supplier security expectations are tightening fast. The Minimum Cyber Security Standards (published 30 October 2025) are now mandatory for agencies under the Government Chief Information Security Officer mandate, and others are adopting them. With $51.5 billion in annual government procurement spend at stake, unprepared suppliers get screened out before they can prove their capability. Support starts from $1,750 a month, built to grow with the contracts you're pursuing.
Our IT provider handles our security — isn't that enough for government work? +
Government agencies assess your controls, policies, and ownership — not just your technology. Alignment with the government's information security manual, Protective Security Requirements, audit evidence, policies, risk registers, and incident response plans all sit outside your IT provider's scope. When an agency reviewer asks how your security is set up, your IT provider can't produce that evidence on your behalf.
We've been supplying government for years without structured security support — why change now? +
Agencies are tightening what they expect from suppliers and documenting it more clearly. What was acceptable three years ago may not survive the next procurement round — especially where sensitive information, hosted systems, or operational resilience are in scope. The Mercury IT ransomware attack, which compromised Ministry of Justice and Health NZ data through a single IT provider, accelerated the focus on supplier assurance and oversight.
Do we need full NZISM compliance, or just specific parts? +
It depends on what you handle and for whom. Most smaller suppliers need alignment with a subset of NZISM controls scoped to their specific engagement. A gap assessment identifies which controls apply, where you already meet them, and what needs work — so you invest in the right areas instead of chasing blanket compliance.
What Usually Happens Next
Stop treating every agency question like a new compliance project
If procurement, agency assurance, or the government security standard is already active, we'll help you work out what has to be proved now, what evidence can be reused, and where the real gaps still sit.