Governance, Risk and Compliance (GRC) Services

Securitec specialises in providing experienced GRC consultants to suit the needs of your organisation. Much like our Technical and Security Business Analysts, our GRC experts form an integral part of strategic business re-engineering, transitioning your business from its current state to a fully accredited future state that meets the highest standards of the New Zealand Information Security Manual (NZISM).

Our Security, Technical and Risk consultants leverage industry-specific methodologies to identify risks, reveal opportunities for business improvement, and bridge gaps between stakeholders and service providers. By facilitating the evolution of security frameworks and optimising compliance processes, we ensure that both end-users and stakeholders obtain a secure and desirable product.

1. Responsibility and Accountability Mapping

Securitec identifies and documents the operational responsibilities assigned to the seller versus the consuming company to ensure a robust identification of duties. This mapping includes implementing, managing and maintaining technical security controls such as encryption and access protocols.

We explicitly audit all vendor agreements to identify clauses that attempt to transfer accountability for data protection from the agency to the provider. Under the NZISM, while operational tasks such as system management can be outsourced, the Company Head or Chief Executive remains ultimately accountable for information security and the formal acceptance of residual ICT risks.

Our GRC consultants analyse the Shared Responsibility Model defined in your contracts to ensure no security gaps exist between the provider’s duties and your internal controls. We work with business and technology groups to profile the business need and ensure that the resulting solutions match that need without creating unmanaged vulnerabilities.

2. Security Risk Audit and Consuming Agency Impact

Securitec provides resources and capabilities that facilitate an effective understanding of jurisdictional and sovereignty risks. We identify exactly where data will be stored geographically, highlighting critical risks if data is offshore and subject to foreign access laws that could conflict with New Zealand law.

We review all systems to ensure the document guarantees adequate workload and tenant isolation on shared infrastructure. This includes assessing the separation of the cloud provider’s platform administrative interfaces from customer-accessible services to prevent unauthorised access.

Our audit process identifies supply chain risks related to the provider's own sub-contractors and the lack of transparency in their operations. Securitec mandates that agencies receive information identifying restrictions on the use of technology arising out of security arrangements with these third parties.

3. Risk Mitigation and Transfer Strategies

Our practice ensures that contracts grant the consuming company explicit audit and assurance rights. We suggest language to mandate the provision of independent assurance reports, such as SOC 2 Type 2 or ISAE 3402, which provide validated evidence of control effectiveness over a specified period.

We define the provider's obligation to notify the company of security incidents within a specified window. Our GRC services ensure that vendor contracts enable the sharing of incident information with the National Cyber Security Centre (NCSC) and require the provider to consult with the agency during remediation.

Securitec assists in defining Service Levels (SLAs) where security-related financial penalties or service credits apply for failures in availability or processing integrity. We hold the solution to account against the scope and requirements of the project to ensure business continuity.

4. Recommended Safeguards and Contractual Changes

We ensure that all contractual clauses explicitly state that the business retains ownership of all customer information and intellectual property. Our practice works to ensure that no ownership of security risk is unknowingly transferred to the business through poor documentation.

Securitec recommends robust exit strategy and decommissioning provisions. We ensure that upon contract termination, all company data is either returned or independently verified as being purged and erased through a verifiable process.

We mandate that providers must apply the latest baseline security controls specified in the NZISM. Because the threat environment is dynamic, our GRC service ensures your systems are updated according to the current risk environment, reversing any dispensations that are no longer appropriate.

Standards & Best Practice

To ensure our clients are provided with the highest quality of service, Securitec adheres to international standards including ISO 31000:2018 for risk management and ISO/IEC 27001 for information security management. Our practice is in line with professional associations such as the International Institute of Business Analysis and the GCISO system leadership