Everything owners ask before booking an audit.
Straight answers to the questions we hear most from New Zealand business owners and managers.
What is a cyber security audit and do I need one?+
A cyber security audit is a structured review of your organisation's controls across governance, access, data protection, backup, incident readiness and vendor risk, checked against a recognised framework such as NIST CSF 2.0 or NZISM. Most mid-size New Zealand organisations and small businesses commission one ahead of a cyber insurance renewal, a customer's due diligence request, or as part of ordinary board oversight.
How much does a cyber security audit cost in New Zealand?+
Fixed-price audits for most smaller New Zealand organisations start from $7,000 + GST. Cost depends mainly on staff numbers, the number of systems in scope, and whether external vulnerability testing is included. Larger or regulated organisations receive a custom quote after a short scoping call.
How long does a cyber security audit take?+
Most engagements for mid-size organisations and small businesses run for two to four weeks from the scoping call to the final report. Total time required from your team is usually around half a day, spread across the scoping call, handing over evidence and one or two short interviews.
What is the difference between a cyber security audit and a penetration test?+
An audit reviews governance, policy, access, data protection, backup and vendor risk against a framework, and is largely evidence and interview based. A penetration test actively attempts to exploit technical weaknesses in your systems. Many organisations start with an audit and add penetration testing as a scoped extra, since it answers a different question.
Will the audit disrupt our day-to-day operations?+
No. Access to your systems is read-only, no software is installed on your network, and any external testing is scheduled and non-disruptive. Most staff will not notice the audit is happening.
Do you check compliance with the Privacy Act 2020?+
Yes. Data protection and privacy is one of the six core audit areas. We check where personal information is held, who can access it, how long it is retained, and whether the organisation could meet its notification obligations under the Privacy Act 2020 if a breach occurred.
What is NZISM and does it apply to my business?+
The New Zealand Information Security Manual (NZISM) is the government's information security standard, originally written for the public sector but widely used as a benchmark for private organisations too, especially those that supply government agencies or regulated industries. We map audit findings against the NZISM controls that are relevant to your size and sector.
Who receives the report, and how technical is it?+
The report is written for two audiences at once: an executive summary in plain English for owners and boards, and a detailed findings section for whoever manages your IT, whether that is an internal team or an outsourced provider. Every finding includes a plain explanation of the risk and a prioritised recommendation.
Can the audit support a cyber insurance application or renewal?+
Yes. Many clients commission an audit specifically because an insurer has asked for evidence of controls beyond a self-assessed questionnaire. The report can be shared directly with your broker or insurer as supporting evidence.
What happens after the audit is finished?+
You receive the final report and a 90-day prioritised roadmap, plus one included follow-up call to talk through implementation. Many clients then book a remediation verification a few months later, or move to an annual re-audit cycle.