About the NZISM | New Zealand Information Security Manual

Introduction

The New Zealand Information Security Manual (NZISM) is an integral part of the Protective Security Requirements (PSR) framework which sets out the Aotearoa New Zealand Government’s expectations for the management of personnel, information and physical security as directed by Cabinet.

The NZISM is the New Zealand Government’s manual on information governance, assurance, and information systems security.

The Director-General of the GCSB in their role as Government Chief Information Security Officer develops and maintains the NZISM, through its National Cyber Security Centre.

Purpose of the NZISM

The NZISM explains processes and defines controls essential for protecting New Zealand Government information and systems.

Its role is to promote a consistent approach to information assurance and information security across all New Zealand Government agencies. The NZISM is based on security threat and risk assessments for any information that is collected, processed, stored or communicated by New Zealand Government systems with corresponding risk treatments (control sets) to manage security risk.

The NZISM is intended to support the structure and assist the implementation of the New Zealand Government policy that requires agencies to protect the privacy, integrity and confidentiality of the information they collect, process, store and archive.

Its role in information governance and assurance helps these organisations to secure their information systems and communications.

Governance, assurance and risk

The safe and secure operation of information systems is essential to New Zealand’s security and economic well-being. These systems underpin public confidence, they support privacy and security and are central to good information systems assurance and governance.

Fundamentals of the NZISM include:

clarification of governance requirements
role and authority of chief and senior executives,
principal assurance processes
certification and accreditation process

Chief executives and senior leaders in government agencies are ultimately accountable for the management of risk, including cyber risks, within their agency or organisations.

In the face of globally rising and evolving information and cyber threats, it is vital that agency executives, particularly those with information security governance responsibilities, keep abreast of technology challenges and threats and adjust their organisation’s risk stance and security practices accordingly.

What is in the NZISM?

The NZISM provides a set of essential or baseline controls and additional good and recommended practice controls for use by government agencies.

The NZISM also provides additional contextual information and references, to support agencies making informed decisions, on the risk based use of the recommended controls.

The use or non-use of good practice controls must be based on an agency’s assessment and determination of residual risk related to information security.

Learn more about the NZISM baseline security templates

Who should use the NZISM?

The NZISM is intended for use by New Zealand Government agencies and organisations. Crown entities, local government and private sector organisations are also encouraged to use the NZISM.

The NZISM is tailored to meet the needs of agency information security executives as well as practitioners, vendors, contractors and consultants who provide information and technology services within or to agencies.

History of the NZISM

The NZISM has evolved from the New Zealand Security of Information Technology (NZSIT) policies developed in the early 1990s, redeveloped into the NZSIT 400 series in 2004 and then replaced by the NZISM in 2010.

A major rewrite took place in 2014, this version (v2.0) of the NZISM was completely redeveloped in order to provide more clarity and to incorporate guidance on new technologies. This redevelopment process was supported by extensive consultation within government and with the vendor practitioner communities.

In 2018 the NZISM (v3.0) became available on a digital platform, allowing easier access and providing the functionality to download content in PDF, CSV and XML formats.

Since then more frequent updates to accommodate the rapid pace of technological change are now a feature of the NZISM. The context provided in each section is frequently being reviewed and expanded to underpin the intent and essence of the NZISM.

Review archived versions of the NZISM