Pricing
Choose the level of structure, reporting, and evidence the business needs now. Start where it fits and step up when the demands change.
Choose your level
Most businesses start with Baseline, then step up only when scrutiny, reporting load, or board expectations get heavier.
Foundation
$1,750 /mo
The first credible answer when the business needs structure, named owners, and usable evidence fast.
Best when the business wants a practical baseline in place without jumping straight to the heavier tiers.
Evidence & Compliance
$3,500 /mo
The tier for buyers, insurers, privacy questions, and audit pressure that is already real.
Best when the business needs faster evidence and broader delivery support under live scrutiny.
Compare the tiers in full
Open this when you want the line-by-line scope before you choose how much structure the business needs now.
| Service | Baseline Security baseline | Assurance Evidence and compliance |
|---|---|---|
| Security Baseline Assessment | Full assessment at onboarding plus annual refresh | Full assessment at onboarding plus annual refresh |
| Cyber Insurance Readiness Assessment | Basic readiness assessment | Full assessment plus pre-completed insurer questionnaires |
| Monthly Security Review | Standard monthly review and report | Standard monthly report |
| Quarterly Security Scorecard | Standard quarterly scorecard | Enhanced scorecard with compliance tracking |
| Annual Security Report | Standard annual report | Enhanced report with board narrative |
| Information Asset Register | Basic register with annual review | Living register with quarterly reviews |
| Personal Data Inventory | Basic inventory for IPP 3A compliance | Full inventory with data flow mapping |
| Privacy Breach Readiness Report | Basic readiness report with templates | Full readiness report plus a practice run of the response |
| Incident Response Plan Suite | Core 5 response plans | Full 10-plan suite |
| Policy Suite & Lifecycle Management | Core 8-policy suite with annual review | Full 12+ policy suite with lifecycle management |
| Annual Security Review | 60-minute annual review call | 60-minute annual review call |
| Government Standards Gap Assessment | — | Gap assessment for one named standard |
| Third-Party / Vendor Risk Register | — | Standard register with annual assessments |
| Privacy Impact Assessment | — | Up to 6 assessments per year with 3-business-day turnaround |
| Security Questionnaire Response Engine | — | Up to 8 questionnaire responses per year with 3-business-day turnaround |
| Audit Readiness Score & Evidence Compiler | — | Main audit-readiness view |
| Customer Requirements Register | — | Requirements tracking plus annual impact assessments |
| Multi-Standard Compliance Mapping | — | Control mapping across two standards |
| Incident Management Assistant | — | 2 hours per month with quarterly rollover (max 8 banked) |
| Security Awareness Plan | — | Annual awareness plan plus quarterly review |
| Security Risk Register & Review | — | Working risk register plus annual review |
Cyber Insurance Readiness Assessment
Privacy Breach Readiness Report
Policy Suite & Lifecycle Management
Annual Security Review
Government Standards Gap Assessment
Third-Party / Vendor Risk Register
Security Questionnaire Response Engine
Audit Readiness Score & Evidence Compiler
Customer Requirements Register
Multi-Standard Compliance Mapping
Incident Management Assistant
Security Risk Register & Review
See what the first 90 days look like
Open this when you want the month-by-month view instead of wondering how quickly the business gets usable output.
What changes first
The first few months get the business organised, put evidence in one place, and establish a reporting rhythm leadership can actually use.
Week 1-2
Scoping call, team introductions, current-state review, and document collection.
Week 2-4
Review of where your security stands, gap analysis, prioritised risks, and the first written report.
Month 2
Priority policies, incident structure, evidence register, and the first working controls.
Month 3+
Monthly reporting, ongoing oversight, and leadership review at a predictable cadence.
Need a smaller starting option?
Open this when you need one urgent fix, one extra layer, or a smaller entry point before a broader monthly cadence.
Smaller starting options
These options work when you need one urgent answer, one extra layer, or one visible gap fixed before stepping into broader monthly support.
How to use this section
Start with one-off work when a single buyer, insurer, privacy, or audit question needs an immediate answer. Add-ons are there when Baseline or Assurance already fits and you only need one extra layer without a full tier jump.
Entry-point work
One-time engagement
Focused on IPP 3A indirect collection notification obligations before May 2026 deadline. Maps personal data, assesses privacy impacts, delivers compliance roadmap.
$3,500 to $5,500
One-time engagement
Focused on IPP 12 cross-border disclosure obligations. Audits international data flows, evaluates the Section 11 agent exception for cloud services, and lands the business on a compliant disclosure footing.
$3,000 to $5,000
Add-ons
Add-on
$1,000/mo
Additional incident management hours and priority response for organisations that need more capacity beyond their tier allocation.
Available with
Add-on
$500/mo
For organisations with strict data residency obligations. Every analysis, report, and deliverable runs entirely on private New Zealand infrastructure, with no ambiguity about where client data is processed.
Available with
Add-on
$350/hr
On-demand access to senior security expertise for ad-hoc projects, workshops, or advisory sessions beyond your tier inclusions.
Available with
Add-on
$2,000/yr
Annual coordination for one penetration testing engagement, including vendor selection, scoping, scheduling, and findings review.
Available with
FAQ
Choose based on the scrutiny the business is under. Baseline is the usual starting point when the business needs a credible first layer of structure. Assurance fits customer, insurer, or privacy obligations that are already active.
Yes. Most businesses start at the level that fits now and step up only when the scrutiny, customer base, or reporting expectations change.
Usually yes. A managed IT provider (MSP) runs systems. Good Security gives the business governance, reporting, evidence, privacy, and security leadership that most MSPs do not own.
We start by understanding your current exposure — whether that's customer questionnaires, insurance renewals, leadership expectations, or all three. The tier you start on reflects the breadth and depth of work needed, not a rigid package. Most businesses start at Baseline and step up only when the scrutiny, reporting load, or governance expectations justify it.
FAQ
Open the answers when you need the detail.
Choose based on the scrutiny the business is under. Baseline is the usual starting point when the business needs a credible first layer of structure. Assurance fits customer, insurer, or privacy obligations that are already active.
Yes. Most businesses start at the level that fits now and step up only when the scrutiny, customer base, or reporting expectations change.
Usually yes. A managed IT provider (MSP) runs systems. Good Security gives the business governance, reporting, evidence, privacy, and security leadership that most MSPs do not own.
We start by understanding your current exposure — whether that's customer questionnaires, insurance renewals, leadership expectations, or all three. The tier you start on reflects the breadth and depth of work needed, not a rigid package. Most businesses start at Baseline and step up only when the scrutiny, reporting load, or governance expectations justify it.
Book a free consultation and leave with a clear starting point, likely first steps, and the right level of support.
