Good Security

Service

See The Gap Before The Tender Reviewer Does

See what stands between the business and NZISM, PSR INFOSEC, or ISO 27001 before an audit, tender, or government supplier review exposes the gap.

Talk through whether this fits See where the wider gaps are

Typical deliverable

Framework Compliance Matrix

A complete control-by-control assessment showing compliance status (Compliant, Partially Compliant, Non-Compliant, Not Applicable) with evidence references.

Gap Analysis & Findings Report

Detailed report of all identified gaps with risk ratings, business impact assessment, and specific guidance on how to fix each finding.

Improvement Priority Plan

Sequenced action plan addressing critical gaps first, with estimated effort levels and suggested implementation timelines.

In practice

A typical output is a control-by-control matrix showing where the business already meets the target standard, where evidence is weak, what still needs building, and which actions will close the biggest audit or supplier-review gaps first.

The pressure

A government client, tender, or audit path needs proof against a named standard and the gaps are not yet clear

You leave with a clear gap view against the chosen standard, where evidence already exists, and what still needs to close.

Government work gets harder when the business cannot show which standards apply, where it already meets them, and where the gaps still sit. This assessment gives a clear view before an audit, tender, or supplier review turns compliance into a fire drill.

Good Security checks the relevant requirements, tests current evidence and control status, and leaves you with a gap view, an improvement sequence, and a practical explanation of which fixes cover multiple obligations at once.

Deliverables

The artefacts that land on your desk

A control-by-control matrix against NZISM, PSR INFOSEC, or ISO 27001, a findings report, and an improvement priority plan scoped to the tender or supplier-review window

Framework Compliance Matrix

A complete control-by-control assessment showing compliance status (Compliant, Partially Compliant, Non-Compliant, Not Applicable) with evidence references.

Gap Analysis & Findings Report

Detailed report of all identified gaps with risk ratings, business impact assessment, and specific guidance on how to fix each finding.

Improvement Priority Plan

Sequenced action plan addressing critical gaps first, with estimated effort levels and suggested implementation timelines.

Cross-Framework Mapping (Board oversight)

Visual mapping of overlapping controls across multiple frameworks, identifying where a single control implementation satisfies multiple requirements.

What that looks like in practice

A typical output is a control-by-control matrix showing where the business already meets the target standard, where evidence is weak, what still needs building, and which actions will close the biggest audit or supplier-review gaps first.

Outcomes

What stops being a scramble

The applicable standards are named, audit gaps are visible before the panel asks, and overlapping controls cut duplicate remediation work

  • The business knows which government standards really apply and which ones do not.
  • Audit and supplier-review gaps are visible early enough to plan, not just react.
  • Overlap across frameworks is easier to use, which cuts duplicate remediation work.
  • Evidence and ownership are easier to present when public-sector scrutiny starts.

Process

From kick-off to handover, step by step

Four steps from confirming the target standard, through evidence assessment and shortfall prioritisation, to a remediation-view walkthrough

1

Confirm the target standard

We pin down which framework, control set, and boundary matter for the work you are trying to win or keep.

2

Assess what is already in place

Good Security reviews current evidence, control status, and operating practices against the relevant requirements.

3

Prioritise the shortfall

The gaps are turned into a sequence that shows what needs to be fixed first and what can be staged.

4

Deliver the remediation view

You receive the gap matrix, the improvement plan, and a practical walkthrough of how to close the distance.

Related services

The engagements that usually come next

Usually pairs with the security baseline assessment for a fuller scored picture, or cross-framework control mapping when more than one standard is in play

Get protected

Stop Guessing When A Buyer Asks How Secure You Are

See where the business is exposed, what matters first, and what should be fixed before the next review, buyer question, or renewal lands.

Stay compliant

Stop Rebuilding The Same Evidence For Every Standard

Stop rebuilding the same evidence for every buyer, framework, and audit request by showing where one control can satisfy more than one demand.

Not sure if this is the right next step for the business?

Book a call and we'll talk through whether this is the right next step, what you'd walk away with, and how it sits alongside anything the business already has in place.

Talk through whether this fits See where the wider gaps are

Questions buyers ask before committing

When is this the right fit?

A government client, tender, or audit path needs proof against a named standard and the gaps are not yet clear Use this when a government-facing requirement is already real and the business needs an evidence-led answer, not a vague framework discussion.

What changes once the work is delivered?

You leave with a clear gap view against the chosen standard, where evidence already exists, and what still needs to close.