Pricing
Choose the level of structure, reporting, and evidence the business needs now. Start where it fits and step up when the demands change.
Choose your level
Most businesses start with Baseline, then step up only when scrutiny, reporting load, or board expectations get heavier.
Baseline
Foundation
Security baseline
$1,750 /mo
The first credible answer when the business needs structure, named owners, and usable evidence fast.
Best when the business wants a practical baseline in place without jumping straight to the heavier tiers.
Assurance
Evidence & Compliance
Evidence and compliance
$3,500 /mo
The tier for buyers, insurers, privacy questions, and audit pressure that is already real.
Best when the business needs faster evidence and broader delivery support under live scrutiny.
Leadership
Fractional CISO
Fractional CISO
$8,500 /mo
The higher-touch tier for leadership teams that need stronger ownership, reporting, and pace.
Best when the business needs board-ready governance, a steadier operating rhythm, and a faster decision path.
Funding help
The NZTE Capability Development Voucher can cover up to $2,500 of your first security assessment.
Compare the tiers in full
Open this when you want the line-by-line scope before you choose how much structure the business needs now.
| Service | Baseline Security baseline | Assurance Evidence and compliance | Leadership Fractional CISO |
|---|---|---|---|
| Security Baseline Assessment | Full assessment at onboarding plus annual refresh | Full assessment at onboarding plus annual refresh | Full assessment at onboarding plus annual refresh |
| Cyber Insurance Readiness Assessment | Basic readiness assessment | Full assessment plus pre-completed insurer questionnaires | Full assessment plus pre-completed insurer questionnaires |
| Monthly Security Posture Report | Standard monthly report | Standard monthly report | Enhanced monthly report with trend analysis |
| Quarterly Security Scorecard | Standard quarterly scorecard | Enhanced scorecard with compliance tracking | Full scorecard with compliance tracking and benchmarking |
| Annual Security Report | Standard annual report | Enhanced report with board narrative | Board-ready report with narrative and strategic roadmap |
| Information Asset Register | Basic register with annual review | Living register with quarterly reviews | Living register with continuous updates and quarterly reviews |
| Personal Data Inventory | Basic inventory for IPP 3A compliance | Full inventory with data flow mapping | Complete inventory with data flow mapping and continuous updates |
| Privacy Breach Readiness Report | Basic readiness report with templates | Full readiness report plus tabletop exercise | Full readiness report plus tabletop exercise with enhanced scenarios |
| Incident Response Plan Suite | Core 5 response plans | Full 10-plan suite | Full 10+ plan suite with custom scenarios |
| Policy Suite & Lifecycle Management | Core 8-policy suite with annual review | Full 12+ policy suite with lifecycle management | Full 12+ policy suite with continuous lifecycle management |
| Annual Security Posture Review | 60-minute annual review call | 60-minute annual review call | 60-minute annual review call |
| Government Standards Gap Assessment | — | Single framework gap assessment | Multi-framework gap assessment |
| Third-Party / Vendor Risk Register | — | Standard register with annual assessments | Full register with continuous monitoring |
| Privacy Impact Assessment | — | Up to 6 assessments per year with 3-business-day turnaround | Unlimited assessments with 3-business-day turnaround |
| Security Questionnaire Response Engine | — | Up to 8 questionnaire responses per year with 3-business-day turnaround | Unlimited questionnaire responses with 3-business-day turnaround |
| Audit Readiness Score & Evidence Compiler | — | Primary framework audit readiness | Multi-framework audit readiness |
| Customer Requirements Register | — | Requirements tracking plus annual impact assessments | Full tracking with continuous impact assessments |
| Multi-Standard Compliance Mapping | — | Dual-framework control mapping | Multi-framework control mapping |
| Incident Management Assistant | — | 2 hours per month with quarterly rollover (max 8 banked) | 8 hours per month with quarterly rollover (max 24 banked) |
| Security Awareness Programme Design | — | Annual programme design plus quarterly review | Annual programme design with quarterly reviews and ongoing refinement |
| Risk Management Framework | — | Full framework plus annual review | Full framework with continuous review and enhancement |
| Audit Finding & Corrective Action Tracking | — | — | Full finding tracking and corrective action management |
| Board Advisory & Governance Reporting | — | — | Full board advisory and governance reporting included |
| AI Governance Programme | — | — | Full AI governance programme included |
Security Baseline Assessment
Cyber Insurance Readiness Assessment
Monthly Security Posture Report
Quarterly Security Scorecard
Annual Security Report
Information Asset Register
Personal Data Inventory
Privacy Breach Readiness Report
Incident Response Plan Suite
Policy Suite & Lifecycle Management
Annual Security Posture Review
Government Standards Gap Assessment
Third-Party / Vendor Risk Register
Privacy Impact Assessment
Security Questionnaire Response Engine
Audit Readiness Score & Evidence Compiler
Customer Requirements Register
Multi-Standard Compliance Mapping
Incident Management Assistant
Security Awareness Programme Design
Risk Management Framework
Audit Finding & Corrective Action Tracking
Board Advisory & Governance Reporting
AI Governance Programme
See what the first 90 days look like
Open this when you want the month-by-month view instead of wondering how quickly the business gets usable output.
What changes first
The first few months get the business organised, put evidence in one place, and establish a reporting rhythm leadership can actually use.
Week 1-2
Scoping call, team introductions, current-state review, and document collection.
Week 2-4
Review of where your security stands, gap analysis, prioritised risks, and the first written report.
Month 2
Priority policies, incident structure, evidence register, and the first working controls.
Month 3+
Monthly reporting, ongoing oversight, and leadership review at a predictable cadence.
Need a smaller starting option?
Open this when you need one urgent fix, one extra layer, or a smaller entry point before a broader monthly programme.
Smaller starting options
These options work when you need one urgent answer, one extra layer, or one visible gap fixed before stepping into a broader monthly programme.
Leadership already includes deeper governance, broader incident capacity, and AI-governance coverage. These add-ons mostly matter for Baseline or Assurance customers that need one extra layer without a full tier jump.
Entry-point work
One-time engagement
Government-funded security foundations for NZ businesses. NZTE Capability Development Voucher covers $2,500 of the $5,000 cost. Credit of $2,500 applies against first 2 months of Baseline if client converts — making the Foundations Pack effectively free.
$5,000 to $5,000
One-time engagement
Focused on IPP 3A indirect collection notification obligations before May 2026 deadline. Maps personal data, assesses privacy impacts, delivers compliance roadmap.
$3,500 to $5,500
One-time engagement
Focused on IPP 12 cross-border disclosure obligations. Audits international data flows, evaluates Section 11 agent exception for cloud services, ensures compliant disclosure.
$3,000 to $5,000
Add-ons
Add-on
$1,000 /mo
Board-level security reporting and advisory sessions for organisations that need governance visibility without the full Leadership tier.
Available with
Assurance
Add-on
$1,500 /mo
Practical AI governance support for organisations deploying or procuring AI-enabled systems, aligned to ISO 42001.
Available with
Baseline, Assurance
Add-on
$1,000 /mo
Additional incident management hours and priority response for organisations that need more capacity beyond their tier allocation.
Available with
Baseline, Assurance
Add-on
$500 /mo
For organisations with strict data residency obligations. Every analysis, report, and deliverable runs entirely on private New Zealand infrastructure, with no ambiguity about where client data is processed.
Available with
Baseline, Assurance, Leadership
Add-on
$350 /hr
On-demand access to senior security expertise for ad-hoc projects, workshops, or advisory sessions beyond your tier inclusions.
Available with
Baseline, Assurance, Leadership
Add-on
$2,000 /yr
Annual coordination for one penetration testing engagement, including vendor selection, scoping, scheduling, and findings review.
Available with
Baseline, Assurance, Leadership
FAQ
Choose based on the scrutiny the business is under. Baseline is the usual starting point when the business needs a credible first programme. Assurance fits customer, insurer, or privacy obligations that are already active. Leadership is for organisations that need deeper ownership, board-ready governance, and a higher-touch advisory cadence.
Yes. Most businesses start at the level that fits now and step up only when the scrutiny, customer base, or reporting expectations change.
Usually yes. A managed IT provider (MSP) runs systems. Good Security gives the business governance, reporting, evidence, privacy, and security leadership that most MSPs do not own.
We start by understanding your current exposure — whether that's customer questionnaires, insurance renewals, leadership expectations, or all three. The tier you start on reflects the breadth and depth of work needed, not a rigid package. Most businesses start at Baseline and step up only when the scrutiny, reporting load, or governance expectations justify it.
Book a free consultation and leave with a clear starting point, likely first steps, and the right level of programme.
"Delivers on his promises — completed to a high standard, within budget, and by the agreed deadline." — Marko Blagojevic, Information Services Manager
