Know where you stand.

A cyber security assessment is an independent review of a business’s security controls, systems, and processes. It identifies vulnerabilities across your network, cloud environment, identity controls, and incident response capability and delivers a prioritised plan for closing the gaps. It’s typically the right starting point before a penetration test, before applying for cyber insurance, or before a compliance audit.

An NSP cyber security assessment includes a maturity review against a recognised security framework, a technical scan of your network and endpoints, a cloud configuration review (Microsoft 365, Azure, or AWS), an identity and access controls audit, and an assessment of your security monitoring capability. You receive an executive summary, a full risk register, and a prioritised remediation roadmap.

Most assessments take between 5 and 10 business days from the time we have the access we need. The exact timeframe depends on scope and the size of your environment. We’ll agree it upfront – no surprises.

Increasingly, yes. NZ insurers are asking for evidence of specific security controls before underwriting and some are declining applicants who can’t demonstrate them. An NSP assessment identifies the gaps your insurer is looking for so you can close them before you apply.

A cyber security assessment reviews your overall security posture – covering people, processes, and technology. A penetration test actively simulates an attack to see how far a threat actor could get into your systems. Most businesses benefit from starting with an assessment. If you’re not sure which you need, talk to us and we’ll give you an honest answer.

Cost depends on scope and the size of your business. We give you a clear quote before anything starts – no surprises. The short answer: it costs significantly less than the average NZ data breach, which typically includes incident response costs, regulatory notification, downtime, and reputational damage.

Yes. Smaller businesses are specifically targeted because attackers know they’re less likely to have controls in place. NSP scopes assessments to match the size and complexity of your business – you won’t be paying for an enterprise engagement when you don’t need one.

A cyber security audit checks whether you’re meeting a defined standard or compliance requirement – think of it as a pass/fail test against a rulebook. A cyber security assessment is broader: it evaluates your actual risk exposure, identifies threats specific to your business, and gives you a prioritised remediation roadmap. Most businesses need an assessment before they’re ready for a formal audit.

For a technical assessment, yes – we’ll need read-only access to specific environments. We’ll walk you through exactly what that means before we start. Nothing in your environment is changed without your explicit approval.

The NIST Cybersecurity Framework is a widely adopted security standard that organises controls into five functions: Identify, Protect, Detect, Respond, and Recover. NSP’s assessments align with NIST and other recognised frameworks, which means your results map directly to a standard your board, insurer, or auditor will recognise.

At minimum, annually. Most security frameworks – NIST, ISO 27001, NZISM – recommend regular reviews, and cyber insurers are increasingly asking for evidence of recent assessments at renewal time. You should also get an assessment after any significant change to your environment: a cloud migration, a new business system, a merger, or a security incident. If your last assessment was more than 12 months ago, it is likely out of date.

You do not need to do much. We will walk you through exactly what access we need before we start. Useful things to have ready: a list of your key systems and software, your current IT provider contact details if applicable, and any existing security policies or incident response plans you have in place. If you do not have those things, that is fine – finding gaps is part of what we are there to do.

Yes. NZISM – the New Zealand Information Security Manual – is one of the frameworks NSP assessments align with. It is the government-endorsed security standard for NZ organisations and is increasingly referenced by NZ insurers and regulators. If you are subject to NZISM requirements, or preparing for a review that involves NZISM compliance, our assessment can be scoped accordingly.

Yes. The Privacy Act 2020 requires NZ businesses to protect personal information and, in the event of a notifiable privacy breach, to notify both the Privacy Commissioner and affected individuals. An NSP assessment identifies where personal data is stored, who has access to it, how it is protected, and whether your current controls meet the standard the Act requires. It is not a legal audit, but it gives you a clear picture of your risk exposure under the Act.

That depends on what you need. The assessment is a standalone engagement – you get the report and the roadmap, and you can take it wherever you like. If the findings identify gaps that need ongoing remediation, NSP’s managed services and cybersecurity teams can help you address them. Because we already understand your environment from the assessment, there is no re-briefing. Some clients also use their assessment report to engage a vCISO to oversee implementation of the roadmap.