Compliance

Compliance that actually means something.

Ticking boxes isn't security. But proper compliance — done right — genuinely improves your posture and opens commercial doors. We cover 17 frameworks across security, privacy, and AI regulation. Our two most commonly requested frameworks are NIST CSF 2.0 — the world's most widely referenced security framework — and ISO 27001, the international certification standard. We'll tell you honestly which ones are worth pursuing for where your business is right now.

What's included in every engagement

Gap analysis against your target framework — NIST CSF 2.0, ISO 27001, or others
Remediation planning with clear milestones and ownership
Policy and documentation development
Evidence collection and audit preparation
Liaison with auditors and certification bodies
Ongoing compliance management and monitoring

Not sure which framework you need? NIST CSF 2.0 is an excellent operational baseline. ISO 27001 opens enterprise and government doors. We'll tell you honestly what will deliver value and what isn't worth the investment yet.

Start your compliance journey →

17 frameworks — in four groups

NZ & foundational4 frameworks

International security standards8 frameworks

AI & emerging regulation4 frameworks

Sector & regional1 framework

6 months Average time from initial engagement to ISO 27001 certification for KIS clients Based on internal KIS engagement data

All 17 frameworks

Every framework we cover — grouped by category.

NZ & foundational — 4 frameworks

NZ Privacy Act 2020

Mandatory for every NZ business handling personal information. Includes mandatory breach notification to the Privacy Commissioner. This is the baseline.

Source: Office of the Privacy Commissioner — privacy.org.nz

NZISM

NZ Information Security Manual — required for Crown entities and increasingly expected of government suppliers. KIS is experienced in NZISM assessments.

NZ Algorithm Charter

Voluntary government commitment for organisations using algorithms in decisions affecting people. Covers transparency, bias, and human oversight.

Essential Eight

ACSC's eight prioritised mitigation strategies. Increasingly referenced in NZ government and enterprise procurement. A practical starting point for any SMB.

International security standards — 8 frameworks

NIST CSF 2.0

Updated in 2024 with a new Govern function — the most widely referenced security framework globally. We use it as the basis for our risk assessments and vCISO engagements.

Source: NIST — nist.gov/cyberframework

ISO 27001

The international gold standard for information security management systems. Opens commercial doors with enterprise clients and government. KIS achieves this for clients in 6 months on average — based on internal KIS data.

ISO 27701

Privacy extension to ISO 27001 covering personal information management. Directly aligned with NZ Privacy Act 2020 and GDPR.

ISO 22301

Business continuity management standard. Critical for healthcare, finance, and utilities. Pairs naturally with ISO 27001.

SOC 2

Essential for NZ SaaS businesses selling to US enterprise customers. Type I confirms controls exist; Type II confirms they work over time.

CIS Controls v8

18 prioritised controls. More implementation-focused than NIST CSF — ideal for SMBs who need a concrete roadmap to ISO 27001.

PCI DSS

Required for any business that accepts, processes, stores, or transmits card data. Non-compliance risks fines and loss of card acceptance.

HIPAA

US health data regulation. Relevant for NZ health tech companies selling into US healthcare markets.

AI & emerging regulation — 4 frameworks

EU AI Act

In force since August 2024, with phased obligations through 2027. Applies to any NZ business whose AI systems affect EU residents. High-risk AI systems face strict requirements.

Source: EU AI Act Official Journal — eur-lex.europa.eu

ISO/IEC 42001

The international standard for AI management systems — the ISO 27001 equivalent for AI. Published December 2023 and already being requested by enterprise procurement teams.

NIST AI RMF + GenAI profile

NIST's practical AI risk management framework. The 2024 GenAI profile addresses risks from ChatGPT, Copilot, and similar tools.

GDPR

EU data protection regulation. Applies to NZ businesses processing personal data of EU residents. Fines can reach €20M or 4% of global turnover.

Source: GDPR Article 83 — gdpr-info.eu

Sector & regional — 1 framework

APRA CPS 234

Australian Prudential Regulation Authority information security standard. Relevant for NZ financial services firms with Australian operations or clients.

Not sure where to start?

Tell us about your situation.
We'll point you in the right direction.

Click the description that fits your business best — we'll recommend the right framework for where you are right now.

I'm looking for...

A practical security baseline — NIST CSF 2.0 or Essential Eight — to start with

I'm looking for...

ISO 27001 or SOC 2 certification to win enterprise clients

I'm looking for...

EU AI Act or ISO 42001 readiness for our AI products

I'm looking for...

NZ Privacy Act 2020 compliance — mandatory breach notification requirements

I'm looking for...

Help meeting a government or enterprise security questionnaire

I'm looking for...

I'm not sure — I just know compliance is something I need to address

Related services

Virtual CISO

Your vCISO leads the programme — from NIST CSF 2.0 alignment to ISO 27001 certification.

View service →

Risk assessment

The natural starting point — understand your posture against NIST CSF 2.0 before choosing a framework.

View service →

AI governance

EU AI Act and ISO 42001 compliance alongside our full compliance framework covering 17 standards.

View service →

Our Workflow…

Free conversation
We talk about your business, your concerns, and your goals. No sales pitch.
We scope and quote
A clear proposal arrives within two business days. Exact scope, fixed price — no surprises.
We get to work
We handle the heavy lifting. We’ll only contact you when we need something or have something to show you.
We debrief clearly
Every engagement ends with a plain-English walkthrough of findings, recommendations, and next steps.

What you need to provide…

About an hour of your time
For the initial conversation and the final debrief. We do the rest.
Access to the right people
Usually your IT contact (or you, if that’s the same person) and whoever owns the systems in scope.
Read-only access where needed
For most assessments, we only ever need read access — never admin credentials or the ability to make changes.
An honest picture of where you are
The more candid you are about your current setup, the more useful our findings will be. There’s no judgement here.

That’s genuinely it. You don’t need a dedicated IT team, a security background, or any preparation beyond booking the first call.

Not sure which service you need?

Start here.

A free 30-minute conversation. We’ll tell you honestly what your business needs — and what it doesn’t.

Book a free conversation

What others say about us…

We’d always had a family member looking after our IT, and while we trusted them completely, we hadn’t realised how much risk we were quietly carrying. KIS came in and overhauled our entire security setup, got us properly configured with multi-factor authentication, and went through our Microsoft 365 environment to make sure the right people had the right access and licensing. It wasn’t just a technical fix, it was genuine peace of mind. We now know our systems are actually secure, not just looked after by someone who means well.

Jeremy T.Owner, Auto Services

As a financial services firm, protecting client data isn’t optional. We had no formal security management framework in place and knew we needed to get serious. KIS assessed where we stood and mapped out a practical path toward NIST and ISO 27001 compliance, grounded in what was realistic for our size and structure. Their advice was prioritised and clear, and we came away with a credible roadmap and the confidence that we’re taking the right steps in the right order.

Pam K.CIO, Financial Services Firm

We were rolling out AI across the organisation and our internal IT team is great, but this was new territory. We needed someone to close the gaps fast and set us up to manage things ourselves going forward. KIS delivered on all of it. They implemented data loss prevention, a document classification scheme, and Microsoft Purview, and the uplift in our security and compliance posture has been significant. The best part? They didn’t just fix things and leave. We came out of it actually understanding the system and capable of running it ourselves.

Abby S.Compliance Officer, Telecommunications Company

We’re a small non-profit focused on young people, and like many organisations like ours, we were running largely on goodwill and volunteers. We had a website collecting significant personal information and, honestly, we hadn’t fully grasped the risk we were sitting on. KIS conducted a penetration test, walked us through every finding, and worked through remediation of all critical vulnerabilities with our budget in mind the whole time. They treated our mission as if it mattered to them too, and that made all the difference.

Elizabeth C.Senior Leader, Youth Organisation

Compliance that actually means something.

Every framework we cover — grouped by category.

NZ Privacy Act 2020

NZISM

NZ Algorithm Charter

Essential Eight

NIST CSF 2.0

ISO 27001

ISO 27701

ISO 22301

SOC 2

CIS Controls v8

PCI DSS

HIPAA

EU AI Act

ISO/IEC 42001

NIST AI RMF + GenAI profile

GDPR

APRA CPS 234

Tell us about your situation.We'll point you in the right direction.

Virtual CISO

Risk assessment

AI governance

Our Workflow…

What you need to provide…

Not sure which service you need?

What others say about us…

KIS

Services

Company

Useful links

Tell us about your situation.
We'll point you in the right direction.