Compliance FAQ
Straight answers to the questions we’re asked most — about PCI, ISO, SOC and government assessments. No jargon, no sales pitch.
QWhat’s the difference between an audit and an assessment?
They’re closely related, but the word changes with the standard. ISO certifications are delivered through an audit by a Lead Auditor; PCI, SOC and government work is delivered as an assessment by a qualified assessor. Either way, an independent expert checks your controls against a recognised standard and reports what they find.
QHow do I know which standard I actually need?
It usually comes down to who’s asking. A payment brand or bank → PCI DSS. A customer’s procurement team wanting proof of security → SOC 2 or ISO 27001. Selling to government → NZISM or the Essential Eight. Not sure? A short scoping call settles it in minutes.
QHow long does compliance take?
Most first-time engagements run 2–6 months, depending on how ready your controls already are. A gap analysis up front shows where you stand — and most of the time goes into remediation (fixing gaps), not the assessment itself.
QWhat is PCI DSS, and who needs it?
PCI DSS is the security standard for any business that stores, processes or transmits cardholder data. If you take card payments — online or in person — the card brands expect you to meet it. Current version: PCI DSS v4.0.1.
QWhat’s the difference between an SAQ and a ROC?
An SAQ is a self-assessment for smaller merchants; a ROC is a formal report produced by a QSA for larger ones. Which applies depends on your merchant level and how you handle card data — our SAQ Selector tool tells you in under a minute.
QWhat is a 3DS Assessment, and who carries it out?
It validates the security of 3-D Secure — the authentication step behind online card payments — and is carried out by a qualified 3DS Assessor. It applies to organisations performing 3DS functions such as ACS or 3DS Server roles.
QWhat is ISO/IEC 27001 certification?
It’s the international standard for an Information Security Management System (ISMS). Certification means an independent Lead Auditor has confirmed you manage information security in a structured, repeatable way. Current version: ISO/IEC 27001:2022.
QHow long does ISO 27001 certification last?
The certificate is valid for three years, with a lighter surveillance audit each year to confirm you’re maintaining the system, then a full recertification audit at the end of the cycle.
QWhat is ISO/IEC 42001, and do I need it?
It’s the first international standard for an AI Management System. It’s becoming relevant for any organisation building or deploying AI that wants to show responsible, well-governed AI to customers and regulators.
QWhat’s the difference between SOC 2 Type I and Type II?
Type I checks your controls are well designed at a point in time; Type II checks they actually operated effectively over a period (usually 6–12 months). Most enterprise customers ask for Type II.
QSOC 2 or ISO 27001 — which should I get?
SOC 2 is favoured by US customers; ISO 27001 is the global certification recognised in tenders worldwide. Many companies eventually do both — see our full side-by-side comparison.
QWhat are NZISM and the Essential Eight?
NZISM is New Zealand’s government information security manual; the Essential Eight is an Australian set of eight baseline mitigation strategies. Both come up when supplying the public sector across NZ and Australia.
QAre you genuinely independent?
Yes — independence and impartiality are the whole point of an assurance firm. We assess against the standard without conflicts of interest, which is what makes our audits and assessments credible to your customers and regulators.
QHow do I get started?
Book a free scoping call. We’ll confirm which standard applies, give you a realistic timeline, and outline the path to your report or certificate — no obligation.