Spectrum Consulting has gained ISO/IEC 27001:2022 certification, completing the process in seven months.
The certification covers the Auckland technology services company's information security management system and sets a formal benchmark for a business that works with critical infrastructure clients in sectors including banking, rail and utilities.
Spectrum said the process took less than half the usual industry timeframe of 18 to 20 months. Implementation and consulting costs also fell by about 75 per cent during the project.
Instead of relying on manual compliance processes built around spreadsheets and external documentation, the company used Spotica, a New Zealand-developed governance, risk and compliance platform. Spectrum said this enabled it to create a digital information security management system with compliance tracking, reporting and assigned control ownership across the business.
For Spectrum, the certification carries commercial as well as operational weight, as ISO 27001 is often required in procurement processes involving government agencies and larger organisations.
"For any technology partner managing critical infrastructure, trust and validation are non-negotiable," said Deane Jessep, Chief Technology Officer and CISO at Spectrum Consulting.
"When bidding on government or high-value enterprise tenders, ISO 27001 is a baseline requirement. If you do not have it, you cannot proceed. By partnering with Spotica, we did not just complete a check-box exercise; we inculcated a rigorous, top-down security culture across our entire organization, from pre-sales to delivery, and completed it in record time," Jessep said.
The external audit found no major non-conformities and two minor non-conformities, one of which was closed before the final report was completed.
Rather than relying on interviews and document exchanges over several weeks, the auditor was given direct access to the Spotica platform. Spectrum said this allowed the auditor to review mapped controls, risk registers and supporting evidence through the system.
Audit process
Spotica said the outcome reflected Spectrum's level of preparation and the use of a more structured compliance workflow.
"This achievement reflects the dedication and professionalism of the Spectrum team. Their proactive engagement and commitment to adopt the best-practice guidance were instrumental in the success of delivering a significant transformation while keeping business disruption to an absolute minimum," said Rowan Poole, APAC Head of Partnerships at Spotica.
"Many organizations dread the ISO process because they rely on fragmented Excel sheets and expensive external consultants who leave behind static documents," Poole said.
"Spectrum utilized Spotica to establish structured, logical control ownership directly within their leadership team. The auditor was able to verify their entire security posture independently, turning what is usually a highly disruptive process into a seamless digital experience," he said.
The project also points to a wider shift in how organisations handle security certification, with internal teams using software tools to manage evidence, risks and controls rather than building one-off document sets for a single audit.
Spectrum said it is now using the same system to map current controls against other frameworks, including ISO 42001, SOC 2 Type II and the CIS Critical Security Controls. The aim is to identify only the differences between standards rather than repeat the full exercise each time.
Zoe Baikie, Information Security Manager at Spectrum Consulting, said the process can be managed in stages rather than as one large compliance programme.
"Spotica allowed us to start small, focus only on what mattered in each phase, and iterate continuously," Baikie said.
"For organizations that have struggled to move from aspirational security to structured, audited action, a digital ISMS removes the pain, cuts the clutter, and builds genuine operational resilience," she said.
Founded in 2001, Spectrum is a New Zealand-owned IT services provider based in Auckland. Its work centres on secure infrastructure, software-defined networking and cyber resilience for organisations that run essential services.