Built for NZ healthcare providers

Bring HISF off the spreadsheet.

A risk intelligence platform built around the Health Information Security Framework, not a generic GRC checklist.

Get a demo

HISF support lands June 2026.

Assessment to board report, one platformDefensible reporting, every timeBuilt in New Zealand

Built for clinical and corporate IT teams in NZ healthcare.

HISF native, NZISM ready.

What is HISF?

The information security framework for NZ healthcare.

The Health Information Security Framework (HISF) sets the expectations for how NZ healthcare providers protect patient information and the systems that hold it. It covers clinical and corporate environments together and is designed to be applied across hospitals, primary care, allied health, and Crown entities in the health sector.

HISF aligns with the NZ Information Security Manual (NZISM) for the deeper technical control set and is intended to give Audit and Risk Committees a consistent view of cyber posture across the system. Reporting is ongoing rather than a one-shot annual return, and the evidence behind each assessed control is expected to withstand Internal Audit scrutiny.

Healthcare providers are also exposed to privacy and notifiable-breach obligations under the NZ Privacy Act 2020 and the Health Information Privacy Code. HISF is the practical control framework that ties these obligations together with the underlying technical controls.

See full HISF definition in the glossary

Indicative HISF coverage areas

  • 1. Governance and Information Security Risk
  • 2. Identity and Access Management
  • 3. Personnel and Awareness
  • 4. Physical and Environmental Security
  • 5. Network and Communications Security
  • 6. Endpoint and Application Security
  • 7. Data Protection and Privacy
  • 8. Logging, Monitoring and Detection
  • 9. Incident Response and Recovery
  • 10. Third-party and Supply-chain Risk

Coverage areas are indicative; the published HISF control set is the authoritative reference. Speculo’s HISF mapping is being finalised for release in June 2026.

0

Report types, built in

Pre-configured for every role: board, CISO, project manager, assessor, auditor, and more. Export to Word, PDF, or CSV.

0

Assessment workflow stages

One clear path from scoping to sign-off. Each stage captures the right information at the right time.

0

Risk assessment types

From a rapid control self-assessment through to a full maturity programme with audit-ready evidence. Choose the depth your situation calls for.

The problem

Why most HISF programmes run on spreadsheets that don't work.

HISF assessments split across clinical IT and corporate IT.

Health providers run HISF across two sides of the house. Clinical IT owns the patient-facing systems, corporate IT owns the back office. Each side runs its own spreadsheet, and nobody can answer a HISF question across the full organisation in less than a week.

Evidence scattered across SharePoint, shared drives, and email.

When the assessment closes, the policy PDFs, the change tickets, and the penetration test letters stay where they were attached. Next year, somebody starts the archaeology dig again. Internal Audit asks for the same artefact, and the answer is buried in last year's inbox.

A HISF score that does not fund the next uplift.

Your HISF assessment tells you where you sit. It does not tell your Executive Leadership Team or your Audit and Risk Committee what to fund next. The funding case is a separate document that someone writes from scratch, disconnected from the evidence behind the score.

Your maturity score, your top risks, and what to prioritise next. All in one report you can re-run when the data moves.

How Speculo fits

What changes when you run HISF in Speculo.

Run your HISF assessment in the platform, not a spreadsheet.

Speculo's seven-stage assessment workflow guides your team from scoping through to digital sign-off. Controls are pre-mapped to HISF domains. Evidence is collected at the control level and re-used in the next cycle. The annual return becomes a by-product of the work, not a second job.

Evidence held at the control level, ready for audit.

Every piece of evidence is linked to the control it supports, tracked through an approval workflow, and stored in one place. When Internal Audit asks what you had in place for a HISF domain last year, the answer is one click away — for clinical and corporate systems alike.

Turn the HISF return into a funded business case.

Speculo scores your controls by the risk reduction they deliver and surfaces the prioritised remediation plan your Executive Leadership Team needs to fund the next uplift. The same data that produces your HISF score produces the business case appendix. No rework, no second document.

Get a demo

Deterministic engine

Same inputs, same report, every time. Defensible to your auditor and your Audit and Risk Committee.

Prioritised by impact

Every control is scored by the exact risk reduction it delivers. Focus your team's effort on the controls that move the needle, then use freed capacity to mature them toward target.

Close to the work

Decades across public sector, banking, and consulting. We've done this work and we understand the environment you're operating in.

Hands-on support

Founder-reachable. A direct line to people who've done this work, not an offshore ticket queue.

By sector

Built for the cyber work your team already does.

Government

MCSS native, NZISM ready. The funding case your Chief Executive will sign.

Learn more

Healthcare

Cyber risk for clinical and corporate systems. HISF native, June 2026.

Learn more

Finance

Built for FMA- and RBNZ-regulated entities. NIST CSF and ISO 27001 coming soon.

Learn more

Critical Infrastructure

Built for utilities, telcos, transport, and three-waters operators. Ready for the CIPS regime as it lands.

Learn more

Education

From single-school to tertiary CISO. Risk assessments your whole team can run, evidence held in one place.

Learn more

Tech

Cyber risk, evidence, and ISO 27001 readiness in one platform. Used by tech companies selling into government to demonstrate security posture.

Learn more

From the team

Field notes from NZ cyber and compliance work.

Why the MCSS Spreadsheet is a Trap

13 May 2026 · 8 min read

Why the MCSS Spreadsheet is a Trap

Every NZ agency doing MCSS starts in a spreadsheet. It seems fine at first. Here's where it breaks down, and what it costs you when it does.

MCSS is the business case you haven't written yet

13 May 2026 · 8 min read

MCSS is the business case you haven't written yet

Most cyber vendors will sell you MCSS as a compliance headache. We think that's the wrong way round. The Minimum Cyber Security Standards are mandatory. The only question is whether you treat that work as a cost centre, or as the cheapest business case you'll ever write.

NZISM Explained: What NZ Government Agencies Need to Know

13 May 2026 · 1 min read

NZISM Explained: What NZ Government Agencies Need to Know

The New Zealand Information Security Manual is the government's security framework for agencies handling official information. Here's what it covers, who it applies to, and how it fits alongside MCSS.

All posts

Know exactly where you're exposed.

HISF support lands June 2026. Book a 30-minute walkthrough to see how Speculo will handle it.

Get a demo

HISF support lands June 2026.