We become your IT department and own the day-to-day.
›Managed IT Your whole environment, owned ›Managed Devices Endpoints, patched & tracked ›Microsoft 365 The workplace, managed ›Cloud & Azure Networks, Wi-Fi, voiceSecurity operations you can verify, and show.
›24-Hour CyberSOC Security ops that don't clock off ›Compliance Reviews Aligned to Essential 8 & ISO ›Backup & Recovery Provably restorable ›Identity & Email MFA enforced, threats stoppedHonest strategy and predictable budgets.
›IT Advisory & vCIO Honest, predictable plans ›AI & Copilot Where it genuinely helps ›Compliance & Governance Audit-ready evidence ›Projects & Consulting Build what you can't buyFirms that run on trust, time and confidential data.
›Accounting Ledgers & client data ›Legal Privilege & matter files ›Business Advisory Plans & reporting ›Mortgage & Finance Loan files & AML/CFT ›Insurance Claims & client records ›Insurance Brokers Cover & premiumsSite, studio and floor, where uptime is the product.
›Construction Sites & project files ›Architecture Drawings & large models ›Quantity Surveyors Cost data & big files ›Manufacturing Floor & ERP uptime ›Healthcare Patient data & privacyFast-moving operations that can't carry downtime.
›Logistics Fleet, orders & tracking ›Retail & Wholesale POS & storefronts ›Technology Cloud-native teams ›Distribution Inventory & systemsPlain-English playbooks for the controls that matter.
›Essential Eight ASD's eight, explained ›DIY Cybersecurity Lock down the basics ›Cyber Standards Guide ISO, SMB1001 & more ›M365 Selection Guide Pick the right licencesSelf-serve checks that map where you stand.
›Security Assessment Score your posture ›Network Assessment Find the weak spots ›M365 Security Checklist Find the gaps ›Cyber Insurance Readiness Be claim-readyGet more from the tools you already pay for.
›SME Tech Outlook 2026 Where NZ tech heads next ›Copilot Learning Hands-on with Copilot ›FAQ Straight answers ›CEO's Blog Plain-English viewsA senior team with the skills and scale for any project.
›About Belton Who we are, plainly ›How We Work Our delivery process ›Who We Work With The fit we look for ›Leadership Jason & Amy Agnew + teamThe evidence behind the claims, and ways to build with us.
›Case Studies Real outcomes, named ›Accreditations The proof behind the practice ›Industries Sector-specialised ›White-label / Partners Our bench, your brandReal people, fast, no ticket-queue runaround.
›Contact Us Talk to a human, today ›Book a Session A 90-minute discovery ›Find Us Newmarket, Auckland ›Remote Support Get help nowNavigating cybersecurity standards can be overwhelming. ISO 27001, Essential Eight, SOC 2, PCI DSS, the alphabet soup of frameworks leaves many businesses unsure where to start or what actually applies to them.
This guide cuts through the complexity. We will help you understand which standards matter for your industry, what compliance actually requires, and how to build a security programme that protects your business without unnecessary overhead.
Different industries have different regulatory requirements and risk profiles. Here is what typically applies.
Investment firms, insurers and lenders carry heavy regulatory oversight with strict data protection requirements.
Medical practices, allied health, aged care and health tech. Patient data requires strong privacy controls.
Law firms, accountants and consultancies. Client confidentiality and professional obligations drive requirements.
Online stores, point-of-sale and retail chains. Payment processing triggers PCI DSS requirements.
Software companies, cloud services and tech startups. Enterprise customers often require compliance attestations.
Production, supply chain and industrial operations. IP protection and operational technology security.
Government agencies, councils and public services. Mandated frameworks with specific requirements.
Schools, universities and training providers. Student data protection and research IP security.
Each framework has a different focus and level of rigour. Cost indications are approximate and vary significantly based on organisation size, complexity, and existing security maturity.
What it is: The international gold standard for information security management systems (ISMS). ISO 27001 provides a systematic approach to managing sensitive information.
Who needs it:
What is involved: Certification requires implementing documented policies, risk assessments, and controls across 14 domains. Annual surveillance audits maintain certification. Expect 6 to 12 months for initial certification.
Cost indication: $15,000 to $50,000+ for certification depending on organisation size, plus ongoing audit costs.
What it is: Eight prioritised mitigation strategies developed by the ACSC. Practical, technical controls that address the majority of cyber incidents.
Who needs it:
What is involved: Four maturity levels (0 to 3). Most organisations should target Maturity Level 2 or 3. Self-assessment is possible, or use a third-party assessor.
Cost indication: Implementation costs vary widely. Many controls use existing Microsoft 365 tools. Assessment: $5,000 to $15,000.
What it is: An audit framework for service providers storing customer data in the cloud. Developed by AICPA. Evaluates controls related to security, availability, processing integrity, confidentiality, and privacy.
Who needs it:
What is involved: Type I (point in time) or Type II (period of time, typically 6 to 12 months). Requires a CPA firm audit. Annual attestation.
Cost indication: $30,000 to $100,000+ for the audit depending on scope and organisation complexity.
What it is: Security standard for organisations that handle credit card data. Maintained by the major card brands (Visa, Mastercard and others).
Who needs it:
What is involved: Compliance level depends on transaction volume. Most SMBs can self-assess using the SAQ (Self-Assessment Questionnaire). Larger merchants need external assessments.
Cost indication: Using a payment processor that handles card data (like Stripe) significantly reduces scope. Full PCI compliance: $5,000 to $200,000+ depending on level.
What it is: New Zealand's privacy legislation governing how organisations collect, use, store, and disclose personal information.
Who needs it:
What is involved: 13 Information Privacy Principles. Mandatory breach notification (serious harm threshold). A privacy officer is recommended but not mandatory for most.
Cost indication: Compliance is a baseline legal requirement. The cost is implementing appropriate policies and controls, often integrated with a broader security programme.
What it is: European Union regulation on data protection and privacy. Known for strict requirements and significant penalties.
Who needs it:
What is involved: Lawful basis for processing, data subject rights, a Data Protection Officer (in some cases), data processing agreements, and breach notification within 72 hours.
Cost indication: Varies significantly. May require legal counsel for gap analysis. Implementation: $10,000 to $100,000+ depending on data handling complexity.
What it is: Voluntary framework developed by the US National Institute of Standards and Technology. Provides a common language for managing cybersecurity risk.
Who needs it:
What is involved: Five core functions, Identify, Protect, Detect, Respond, Recover. Self-assessment against maturity tiers. No formal certification.
Cost indication: Free to use. Implementation costs depend on current maturity and desired state.
The Essential Eight gives you the most security for your money. These eight controls address the most common attack vectors and are practical to implement. Target Maturity Level 2 as your baseline, it covers the fundamentals without requiring enterprise-grade tooling.
This is not optional, it is the law. But many organisations have not properly documented their privacy practices. Get your privacy policy right, understand what data you hold, and have a breach response plan ready.
Insurers increasingly require specific controls. MFA, endpoint protection, backup verification, and email security are typically baseline requirements. Check your policy and make sure you can actually claim if something goes wrong.
Only pursue ISO 27001 or SOC 2 when customer requirements justify the investment. The time and cost are significant, and certification for its own sake does not make you more secure, it just proves you have implemented the controls.
We help organisations cut through the complexity. Our security assessment identifies what you actually need based on your industry, customers, and risk profile, not a one-size-fits-all checklist.
Sovereign data centres across New Zealand and Australia, with your data kept onshore wherever it's required. Our team understands New Zealand, and our leaders have built, scaled and secured businesses right across the New Zealand landscape.
Fortinet Partner Lenovo Partner HP Partner Apple Business Manager