What a cyber security audit actually checks.
Every engagement covers the same six areas, tested at a depth that matches the size and risk profile of your organisation. This is the full list of what we look at and why it matters.
The six audit areas
Governance & Policy
Controls are only as good as the decisions behind them. We review who owns cyber security in your organisation, whether policies are current and actually followed, and how decisions get made under pressure.
- Information security policy: existence, ownership and last review date
- Roles and responsibilities, including who has authority to approve exceptions
- Risk register and how often it is revisited
- Staff security awareness training and phishing simulation history
- Alignment to NZISM controls, where relevant to your sector
Identity & Access
Most breaches involve a credential, not a clever exploit. We check who can get into what, how they prove who they are, and how access is removed when someone leaves.
- Multi-factor authentication coverage across email, VPN and admin accounts
- Privileged and administrator account inventory and use
- Joiner, mover and leaver processes, including shared or orphaned logins
- Password policy and use of a password manager
- Remote access and VPN configuration
Data Protection & Privacy
We map where personal and commercially sensitive information actually lives, not just where it is supposed to live, and test whether the Privacy Act 2020's reasonable safeguards requirement is being met in practice.
- Data mapping across cloud storage, email and line-of-business systems
- Encryption in transit and at rest for sensitive data stores
- Retention and secure disposal practices
- External sharing settings in Microsoft 365, Google Workspace or similar
- Privacy Act 2020 alignment, including breach notification readiness
Backup & Recovery
A backup that has never been restored is a guess, not a plan. We check whether recovery would actually work, and how long it would realistically take.
- Backup coverage across servers, endpoints and cloud data (including M365 and Google Workspace)
- Immutable or offsite copies resistant to ransomware
- Restore testing evidence, or lack of it
- Recovery time and recovery point objectives against business need
- Single points of failure in backup infrastructure
Incident Readiness
The difference between a bad afternoon and a bad year often comes down to the first hour. We check whether your incident response plan would hold up under pressure.
- Incident response plan: existence, currency and clarity of roles
- Logging and monitoring coverage for early detection
- Notification obligations, including NCSC/CERT NZ and Privacy Commissioner reporting triggers
- Cyber insurance policy alignment with the actual response plan
- Whether the plan has been tested with a tabletop exercise
Vendor & Third Party Risk
Suppliers, contractors and cloud platforms often hold more access into your systems than a full-time staff member. We map that exposure.
- Inventory of vendors and contractors with system or data access
- Managed service provider access controls and monitoring
- Contract clauses covering security obligations and breach notification
- Fourth-party risk where key vendors rely on their own subcontractors
- Offboarding process when a vendor relationship ends
Need something outside these six areas?
Penetration testing, cloud configuration deep-dives and tabletop incident exercises can all be scoped alongside the core audit.