Change overview

Read about the recent changes made to the NZISM.

 

Key management (section 17.9)

Rationale:
Section had not been revised in a few years. Opportunity to make section more accessible and easier to understand.

Change Description:

New content including diagrams were added to make understanding of key management concepts easier. The revised content has been tailored to be more reflective of current key management operating practises, including cloud.

  • one control has been deleted [CID 3016].
  • one new control has been added.
  • one control has been amended.

Expected Outcome:
Agencies have a clearer understanding of protecting cryptographic keying material through key management procedures.

Change Area: Applicability, authority, and compliance - GCISO (section 1.2)

Rationale:
The GCISO role was established in 2018. In July 2022, the Public Service Commissioner formally appointed the GCISO as System Lead for Information Security.

Change Description:
The new content in section 1.2 outlines the role of the GCSIO under its new system lead mandate.

Expected Outcome:
The GCISO mandate is introduced into the NZISM. The NZISM applies to the same agencies mandated under the Protective Security Requirements.

Information security services within government (section 2.1)

Rationale:
This section had not been updated in quite some time. The rapidly changing landscape of cyber security has seen changes in GCSB’s mission. NCSC has grown exponentially, and CERT NZ has also become part of the NCSC.

Change Description:
Originally this section gave a very brief description of the role of the GCSB and touched on other agencies. We have updated content on the GCSB, included information on the NCSC and provided information on System Leads such as GCISO, GCDO, GCDS, GCSL and GCPO.

One control [199] has been changed from SHOULD to MUST: Security personnel MUST familiarise themselves with the information security roles and services provided by New Zealand Government organisations.

Expected Outcome:
That this section provides an overview of the GCSB, NCSC and other government organisations providing information security advice to agencies.