Cybersecurity has become a baseline expectation for doing business, and New Zealand businesses are part of that global reality. The Government Communications Security Bureau (GCSB) recently reported 7,122 cybersecurity incidents in a single year, with 343 considered high-impact. Of these, 32% were linked to state-sponsored groups and 19% to financially motivated actors.

This tells us two things:

Threats are shaped by international activity as much as by local opportunists, and
New Zealand organizations are part of a wider global security conversation.

Local businesses, from SMBs to startups to enterprises, don’t need to reinvent the wheel, though. They can draw on well-established global frameworks that explain the “how” of cybersecurity and then map them against the “what” of local requirements, such as the New Zealand Information Security Manual (NZISM).

For small and medium businesses in particular, this integration is powerful. It means you can adopt best practices at a scale that makes sense for your resources, while also aligning with standards that matter to government agencies, Crown entities, and enterprise customers.

Global Toolkits: OWASP, CIS, PTES

As indicated earlier, New Zealand businesses don’t need to start from scratch to build a strong security posture. There are well-established global frameworks that offer practical guidance, each with a distinct focus but designed to work together. Three of the most useful are OWASP, CIS, and PTES.

OWASP as a Guide to Application Security

The Open Worldwide Application Security Project (OWASP) is one of the most widely recognized names in cybersecurity. It’s a community-driven initiative that gives developers and security teams free, practical tools for keeping applications secure.

Its most famous resource, the OWASP Top 10, highlights the most common and dangerous web application risks. Beyond that, OWASP offers the Application Security Verification Standard (ASVS) and the Web Security Testing Guide (WSTG), which go deeper into requirements and testing approaches.

Recommended reading: OWASP Top 10 LLM Risks and Their Impact on Businesses‍

OWASP cultivates a “secure by design” mindset. In fact, New Zealand’s own business.govt.nz guidance for web developers references the OWASP Top 10, showing how these global best practices have already been woven into local initiatives.

Building Strong Security Foundations with CIS

The Center for Internet Security (CIS) focuses on foundational cyber hygiene. Its CIS Controls (18 prioritized safeguards) and CIS Benchmarks (configuration guides for systems and applications) are globally recognized as essentials in IT security.

What makes CIS especially valuable for SMBs is its tiered approach. For instance, Implementation Group 1 (IG1) is designed for smaller organizations with limited resources, sometimes fewer than ten staff members. That means, when you use CIS, you don’t have to implement everything at once.

Instead, you can start with a manageable, high-impact set of actions, like ensuring devices are patched, accounts use multi-factor authentication, and system configurations follow best-practice templates. For many New Zealand businesses, CIS can be one of the most approachable entry points into structured security.

Validating Defenses with PTES

Unlike OWASP and CIS, Penetration Testing Execution Standard (PTES) is less concerned about what cybersecurity defenses to implement and more about how to test whether your defenses hold up. PTES defines a seven-phase process, from scoping and intelligence gathering through to exploitation, post-exploitation, and reporting.

Why does this matter? Because even if you’ve implemented CIS and OWASP, you still need to know whether those measures hold up in practice. PTES gives penetration testers and their clients a common language and clear expectations, ensuring results are consistent, defensible, and actionable. That way, you can be confident your security investments are delivering as expected.

The NZ-built Penetration Testing as a Service (PTaaS) platform, Blacklock, has baked PTES methodology into its service model as it blends automated scans with expert manual testing. This gives customers both the rigour of PTES and the agility of on-demand, continuous testing.

Together, OWASP, CIS, and PTES cover the tactical side of security. That is, how to design, implement, and validate controls. The next step is to understand how they line up with New Zealand’s own playbook: the NZISM.

NZISM and Its Role in New Zealand Security

While OWASP, CIS, and PTES provide global best practices and methodologies, New Zealand also has its own authoritative standard. It’s called the New Zealand Information Security Manual (NZISM). Maintained by the GCSB, the NZISM sets the baseline requirements for protecting government information and systems.

At first glance, that might sound like something only government departments need to worry about. But in reality, its applicability extends well beyond the public sector. Vendors, contractors, consultants, and Crown entities that work with government agencies are all expected to align with NZISM.

For private businesses, this makes NZISM more than a compliance-focused exercise. It also gives them a competitive advantage. Meeting NZISM requirements can open the door to government and enterprise opportunities.

The NZISM is also part of a broader framework called the Protective Security Requirements (PSR), which outlines how Cabinet expects agencies to manage information, personnel, and physical security.

For SMBs and startups, the takeaway is simple: while global frameworks offer guidance on how to build and test your defenses, NZISM provides the local benchmark for what the New Zealand government and major customers expect. Aligning with it means you’re not only protecting your business but also signaling maturity and reliability to local partners who care about security.

Comparison at a Glance

From a distance, these frameworks may appear to be competing standards. They actually serve different purposes. The table below highlights their primary focus, nature, audience, and key resources. Together, they form a toolkit that New Zealand businesses can adapt to their size, sector, and regulatory obligations.

Framework	Primary Focus	Nature	Target Audience	Key Resources
NZISM	Government Information Security	Mandatory (for government)	NZ Government Agencies, Vendors, Contractors	New Zealand Information Security Manual
OWASP	Application Security	Voluntary (community-led)	Developers, Security Professionals	OWASP Top 10, ASVS, WSTG
CIS	Foundational IT System Hygiene	Prioritized (actionable)	IT Managers, Security Practitioners	CIS Controls, CIS Benchmarks
PTES	Penetration Testing Methodology	Methodological (process)	Pen Testers, Clients	The 7 Phases of PTES

Recommended Roadmap for New Zealand Businesses

So how do these frameworks come together in practice? For New Zealand businesses, especially SMBs and startups, the path to a stronger security posture can be broken down into four practical steps.

Step 1: Start with CIS for baseline IT hygiene

Begin with the CIS Controls, particularly Implementation Group 1 (IG1) if you’re a small team. These safeguards cover essentials like keeping an up-to-date inventory of devices and software, patching systems promptly, and enforcing strong authentication. This amounts to laying a secure foundation for everything else you build.

Step 2: Secure applications with OWASP guidelines

Once the basics are in place, focus on applications, which is typically the entry point for many threats. Use the OWASP Top 10 to guide developers and testers on the most common risks, and lean on resources like ASVS and WSTG for deeper assurance. This step helps bake security into your products and services from the start.

Step 3: Validate via PTES penetration testing

Controls only matter if they work as intended. A penetration test following the PTES methodology gives you structured, professional assurance in that regard. The resulting report offers both executives and technical teams clarity on risks, remediation, and real-world resilience.

Step 4: Align with NZISM for compliance and opportunity

Finally, connect these efforts to the New Zealand Information Security Manual. Doing so ensures you meet local expectations while also opening doors to government contracts and enterprise partnerships.

In practice, many New Zealand businesses we’ve worked with begin with these global frameworks to drive security improvements, and then treat NZISM as a compliance benchmark to check against. This means NZISM often enters the process as a mapping or gap analysis exercise once foundational controls are in place, rather than being the initial blueprint for every security decision.

Share this post