Example deliverable
What this gives the business
Where your business actually stands
A fictional baseline report showing scope, domain scoring, risk position, and a prioritised action roadmap.
Service
Stop Guessing When A Buyer Asks How Secure You Are
See where the business is exposed, what matters first, and what should be fixed before the next review, buyer question, or renewal lands.
The pressure
You need one clear picture of where the business is exposed before customers, insurers, or leadership push harder
The business gets a defensible baseline, a prioritised roadmap, and named owners instead of scattered concerns.
When a buyer, insurer, or leader asks how secure the business really is, guessing gets expensive quickly. This assessment shows where the exposure sits today, what is already working, and which gaps are most likely to create friction or cost next.
Good Security reviews the current state across people, process, and technology, then leaves the business with a scored baseline, a risk-ranked roadmap, and a board-ready summary that makes the next decision easier.
Deliverables
The artefacts that land on your desk
A clear scored picture across 12 domains, a gap analysis report, a 12-month prioritised roadmap, and a board-ready two-page summary
Security Position Scorecard
A scored evaluation across 12 security domains with clear stage ratings from 1 (Initial) to 5 (Optimised), benchmarked against NZ industry peers.
Gap Analysis Report
Detailed findings for each domain identifying specific control gaps, with evidence-based severity ratings and business impact context.
Prioritised Improvement Roadmap
A 12-month action plan with quick wins, medium-term projects, and strategic initiatives ranked by risk reduction and implementation effort.
Executive Summary
A board-ready two-page summary with key findings, risk position rating, and top five recommended actions.
What that looks like in practice
The output is a board-ready baseline report with the current scored picture, the biggest exposure areas, and a sequenced roadmap that shows what should be fixed first, what can wait, and who needs to own each step.
Outcomes
What stops being a scramble
The board stops guessing, security spend is tied to named gaps, and quarterly reporting has a baseline to measure against
- Directors get a plain-English view of the current position instead of conflicting opinions.
- The next wave of work is prioritised by business risk and effort, not by whichever issue shouted loudest first.
- Security spend is easier to defend because it is tied to named gaps and a sequenced plan.
- Future reporting has a baseline to measure against instead of starting from scratch every quarter.
Process
From kick-off to handover, step by step
Four steps across scope, evidence review, gap ranking, and a walkthrough — most of the heavy lifting lands in the review and ranking steps
1
Set the scope
We confirm which systems, teams, and locations matter most so the assessment reflects the real business boundary.
2
Review the current state
Good Security reviews evidence, interviews key people, and checks how security actually operates day to day.
3
Rank the gaps
The findings are sorted into what needs attention now, what can be staged, and what is already good enough for the current risk level.
4
Walk through the plan
You get the written assessment, the improvement roadmap, and a practical discussion about what should happen next.
Related services
The engagements that usually come next
The work that usually comes next: the government-standards gap assessment for tender or AoG buyers, or the quarterly scorecard to keep the baseline current
Get protected
See The Gap Before The Tender Reviewer Does
See what stands between the business and NZISM, PSR INFOSEC, or ISO 27001 before an audit, tender, or government supplier review exposes the gap.
Prove it to buyers and insurers
Prove The Security Spend Actually Worked This Quarter
Show whether the programme is actually improving with a quarterly scorecard leadership can compare, discuss, and act on.
Not sure if this is the right next step for the business?
Book a call and we'll talk through whether this is the right next step, what you'd walk away with, and how it sits alongside anything the business already has in place.
Questions buyers ask before committing
When is this the right fit?
You need one clear picture of where the business is exposed before customers, insurers, or leadership push harder Use this when the business needs a credible first answer before layering reporting, compliance, or governance work on top.
What changes once the work is delivered?
The business gets a defensible baseline, a prioritised roadmap, and named owners instead of scattered concerns.