Used by NZ public-sector security teams
Turn your next compliance return into a funded business case.
A risk intelligence platform built around NZISM and MCSS, not a generic GRC checklist.
MCSS waitlist: free early access for NZ public sector.
Used by central government and regulated enterprises.
MCSS and NZISM built in.
What is MCSS?
The mandatory baseline for NZ public sector cyber security.
The Minimum Cyber Security Standards (MCSS) are 10 baseline security requirements mandated by the Government Chief Information Security Officer (GCISO) for covered NZ public sector agencies. Agencies assess their posture against each standard on a 1–4 Capability Maturity Model (CMM) scale and report results as part of the Protective Security Requirements (PSR) assurance process.
Coverage extends to central government departments, Crown agents, Officers of Parliament, and other GCISO-mandated entities. Reporting is annual. The assessment is self-certified, but the evidence behind each score is expected to withstand scrutiny from Internal Audit and the Audit and Risk Committee.
MCSS sits within New Zealand's broader Protective Security Requirements (PSR) framework. The NCSC publishes and maintains the standards. Updates to the MCSS are coordinated with the NZISM, which provides the deeper technical control set that agencies work against in their Certification and Accreditation (C&A) processes.
The 10 MCSS coverage areas
- 1. Risk management programme
- 2. Asset management
- 3. Software and hardware patching
- 4. Malware prevention and detection
- 5. Network security controls
- 6. Privileged access and multi-factor authentication
- 7. Cloud and externally hosted services
- 8. Data protection and backups
- 9. Incident response capability
- 10. Logging and security event detection
Each standard is scored on a 1–4 CMM scale: 1 = Initial, 2 = Developing, 3 = Defined, 4 = Managed. The target for most covered agencies is a minimum of CMM 3 across all standards.
Report types, built in
Pre-configured for every role: board, CISO, project manager, assessor, auditor, and more. Export to Word, PDF, or CSV.
Assessment workflow stages
One clear path from scoping to sign-off. Each stage captures the right information at the right time.
NZ public-sector business risks, built in
Score your posture against the risks your Audit and Risk Committee already cares about, not just controls.
The problem
Why most MCSS programmes run on spreadsheets that don't work.
Two weeks of spreadsheet work, every year.
Most NZ public sector teams run their MCSS self-assessment in Excel. Pulling evidence, scoring controls, chasing approvals, and formatting the return takes two weeks of GRC analyst time — time that repeats every annual cycle.
Evidence scattered across SharePoint, email, and shared drives.
When the assessment closes, the evidence files stay where you left them. Next year, the archaeology dig starts again. Internal Audit asks for the same documents, and nobody can find last year's pack in under a day.
A compliance score that doesn't fund anything.
The MCSS return tells you where you sit. It doesn't tell your CE or A&R Committee what to fund next. The funding case is a separate document that someone writes from scratch, disconnected from the evidence that drove the score.
Your maturity score, your top risks, and what to prioritise next. All in one report you can re-run when the data moves.
How it works
From compliance activity to risk intelligence your board can act on.
Set the brief
Set the brief
Pick your framework and your starting point: compliance-led, risk-led, or both. Speculo works from what your organisation already uses and is designed to convert that work into a risk picture your business can act on, not just a score your auditor accepts.
Run the assessment
Run the assessment
Score your controls against your chosen framework. Evidence attaches at the control level, so your compliance record and your risk position build at the same time. Whether you're starting fresh or moving from another tool, the workflow is the same.
See where you're exposed
See where you're exposed
Every control gets a risk reduction score. Speculo calculates the exact impact each control has on your overall risk position, so you know before you start where assessment effort will produce the most reduction.
Plan what to fix first
Plan what to fix first
Most cyber security audit approaches treat every control as equally important. Speculo focuses your team's effort on the controls that materially move your risk position. The capacity you save goes toward maturing those controls to their target, not working through a uniform list.
Take the funded case forward
Take the funded case forward
The compliance work your team did becomes the risk language your board needs. Same data, no translation. Speculo surfaces the gap analysis, risk position, and prioritised roadmap your funding case requires. The case itself is yours to take forward.
How Speculo fits
What changes when you run MCSS in Speculo.
Run your MCSS return in the platform, not a spreadsheet.
Speculo's seven-stage assessment workflow guides your team from scoping through to digital sign-off. Controls are pre-mapped to MCSS requirements. Evidence is collected at the control level and reused in the next cycle. The annual return is a by-product of the work, not a second job.
Evidence held at the control level, ready for audit.
Every piece of evidence is linked to the control it supports, tracked through an approval workflow, and stored in one place. When Internal Audit asks what you had in place for Standard 4 last year, the answer is one click away.
Turn the MCSS return into a funded business case.
Speculo scores your controls by the risk reduction they deliver and surfaces the prioritised remediation plan your A&R Committee needs to fund the next uplift. The same data that produces your MCSS score produces the business case appendix. No rework, no second document.
By sector
Built for the cyber work your team already does.
From the team
Field notes from NZ cyber and compliance work.
13 May 2026 · 8 min read
Why the MCSS Spreadsheet is a Trap
Every NZ agency doing MCSS starts in a spreadsheet. It seems fine at first. Here's where it breaks down, and what it costs you when it does.
13 May 2026 · 8 min read
MCSS is the business case you haven't written yet
Most cyber vendors will sell you MCSS as a compliance headache. We think that's the wrong way round. The Minimum Cyber Security Standards are mandatory. The only question is whether you treat that work as a cost centre, or as the cheapest business case you'll ever write.
13 May 2026 · 1 min read
NZISM Explained: What NZ Government Agencies Need to Know
The New Zealand Information Security Manual is the government's security framework for agencies handling official information. Here's what it covers, who it applies to, and how it fits alongside MCSS.
Know exactly where you're exposed.
Join the MCSS waitlist for early access. Or book a 30-minute walkthrough. No pitch, no procurement.
MCSS waitlist: free early access for NZ public sector.
Deterministic engine
Same inputs, same report, every time. Defensible to your auditor and your Audit and Risk Committee.
Used in central government
Departments, Crown agents, and public health agencies across the NZ public sector.
NZ cyber, NZ-grown
Deep roots in NZ public-sector and banking cyber. We understand the frameworks, the pressures, and what it takes to make progress.
NZ-built, NZ-supported
Contract under NZ law. Founder reachable. No timezone gap.