Comparison
Speculo vs Sectara — NZ GRC platform comparison
Sectara is an Australian GRC platform used across the AU government and enterprise market. Speculo is built for New Zealand. This comparison covers what each platform delivers for NZ organisations with MCSS, NZISM, and PSR obligations.
Summary
Sectara
A capable, mature GRC platform built for the Australian market. Strong for organisations whose primary obligations are Australian (ESSENTIAL8, ISM, PSPF). Not purpose-built for NZ: MCSS and NZISM are not native frameworks, data primarily sits in Australia, and framework updates follow an AU-first cadence. The contract is under Australian law.
Best for: AU-primary organisations with NZ presence, or NZ teams whose primary driver is ISO 27001 rather than MCSS.
Speculo
Built for New Zealand from the ground up. MCSS and NZISM are native frameworks, not secondary mappings. Data stays in New Zealand (Azure North, Auckland). Contract is under NZ law. Platform is maintained by a NZ team that tracks NCSC and GCISO changes directly. Designed for the PSR assurance cycle and the NZ public sector procurement context.
Best for: NZ public sector agencies, NZ-regulated enterprises, and organisations where MCSS, NZISM, and NZ data residency are non-negotiable.
Side by side
How the platforms compare for NZ organisations.
| Criterion | Sectara | Speculo |
|---|---|---|
| MCSS native support | No — NZ frameworks are secondary to AU primary market | |
| NZISM native support | Limited — not purpose-built for NZ ISM | |
| NZ framework update cadence | AU-first — NZ updates trail the primary market | NZ-maintained — NCSC changes reflected in the platform |
| Data residency | Australia (primarily) | Azure North (Auckland, New Zealand) |
| Built for NZ public sector | No — Australian government is the primary design context | |
| Funded business case output | Risk register | Prioritised remediation plan ready for A&R Committee |
| NZ Privacy Act 2020 compliance posture | Australian Privacy Act primary | NZ Privacy Act 2020 aligned |
| NZ-owned vendor | 100% NZ-owned, Wellington-based | |
| Contract jurisdiction | Australian law | New Zealand law |
| MCSS CMM 1–4 scoring | Not native | Built-in, matches NCSC scoring model |
| C&A (Certification & Accreditation) workflow | Not native to NZ ISM C&A process | NZ ISM C&A workflow supported |
| PSR assurance process alignment | Not designed for PSR | Designed for NZ PSR assurance cycle |
The NZ frameworks question
For NZ public sector organisations, the primary framework obligations are MCSS and NZISM — not the Australian Essential Eight or PSPF. A platform designed and maintained for the Australian regulatory environment will carry MCSS and NZISM as secondary or custom mappings, added after the primary Australian build. That creates two problems: the framework may not reflect the exact language, scoring model, and reporting format used in NZ (MCSS CMM 1–4, C&A workflow, PSR reporting), and updates to NZ frameworks will lag behind the AU primary market.
Speculo is built for MCSS and NZISM from the ground up. The CMM 1–4 scoring model, the GCISO assurance cycle, and the PSR reporting requirements are the design inputs, not an afterthought. When NCSC updates a standard, Speculo reflects it without waiting for an AU-first release cycle.
Data residency and procurement
NZ government and regulated enterprise procurement processes increasingly require NZ data residency. The Privacy Act 2020 creates obligations around offshore storage of personal information that require specific contractual protections when data leaves New Zealand. An Australian-hosted GRC platform storing NZ government assessment data creates a residency question that needs a Privacy Officer and legal sign-off before the procurement can proceed.
Speculo stores all customer data in Azure North (Auckland, New Zealand). No data leaves New Zealand. The contract is under New Zealand law. For NZ public sector agencies, this removes a procurement blocker before the conversation starts.
When Sectara might be the right choice
Sectara is a mature, capable platform with a strong track record in the Australian market. It is a reasonable choice for NZ organisations that primarily report against Australian frameworks (ESSENTIAL8, ISM), have Australian parent entities that already use Sectara, or whose primary driver is ISO 27001 rather than MCSS.
If your GRC programme is primarily NZ-framed — MCSS annual return, NZISM C&A, NZ data residency requirement, NZ law contract — then Speculo is the more direct fit. The question is which platform you will spend less time customising to fit the NZ context.
Common questions
Speculo vs Sectara — frequently asked
What is Sectara?
Sectara is an Australian security risk management platform developed for the Australian government and enterprise market. It provides risk assessment, compliance mapping, and reporting capabilities and is used by organisations across Australia and internationally.
How is Speculo different from Sectara for NZ organisations?
Speculo is built specifically for the New Zealand regulatory environment. MCSS and NZISM are native frameworks — not secondary mappings added after the Australian primary build. Speculo's data stays in New Zealand (Azure North, Auckland), the contract is under NZ law, and the platform is maintained by a NZ team that tracks NCSC and GCISO updates directly.
Does Sectara support MCSS?
Sectara does not have MCSS as a native, built-in framework. NZ frameworks in AU-first GRC platforms are typically added as secondary mappings that trail the primary AU market in update cadence and may not reflect the exact MCSS scoring model or CMM language used in NZ public sector reporting.
Is Sectara a good fit for NZ government agencies?
Sectara is a capable platform for organisations whose primary framework obligations are Australian (ESSENTIAL8, ISM, PSPF). For NZ public sector agencies whose primary obligations are MCSS, NZISM, and the PSR assurance cycle, a NZ-native platform is a better fit. The procurement and data residency story is also simpler when the vendor and the data are both in New Zealand.
Can Speculo import data from Sectara?
Yes, in most cases. If you have assessment data in Sectara, we can work through an import path. Talk to us about your specific situation and we will assess what is practical.
See how Speculo fits your NZ programme.
Book a 30-minute walkthrough. We will show you the platform against your actual frameworks and team size.