Information security reviews maintain the security of agency systems and detect gaps and deficiencies.

]]> This section covers information on conducting reviews of any agency’s information security posture and security implementation.

]]> An information security review:

identifies any changes to the business requirements or concept of operation for the subject of the review;
identifies any changes to the security risks faced by the subject of the review;
assesses the effectiveness of the existing counter-measures;
validates the implementation of controls and counter-measures; and
reports on any changes necessary to maintain an effective security posture.

]]> An information security review can be scoped to cover anything from a single system to an entire agency’s systems.

]]> Additional information relating to system auditing is contained in:

Reference	Title	Publisher	Source
ISO/IEC 27006:2015	Information technology — Security techniques — Requirements for bodies providing audit and certification of information security management systems	ISO	https://www.iso.org/standard/62313.html
ISO/IEC 27007:2020	Information security, cybersecurity and privacy protection — Guidelines for information security management systems auditing	ISO	https://www.iso.org/standard/77802.html
ISO/IEC TS 27008:2019	Information technology — Security techniques — Guidelines for the assessment of information security controls	ISO	https://www.iso.org/standard/67397.html

]]> Relevant PSR requirements can be found at:

Reference

Title

Source

PSR Mandatory Requirements

GOV3, INFOSEC1, INFOSEC2, INFOSEC3 and INFOSEC4

Home | Protective Security Requirements

Security governance (GOV) | Protective Security Requirements

Information security (INFOSEC) | Protective Security Requirements

PSR requirements sections

Self-assessment & reporting

Protective security measures

Self-assessment and reporting | Protective Security Requirements

Complying with the Protective Security Requirements | Protective Security Requirements

]]> Annual reviews of an agency’s information security posture can assist with ensuring that agencies are responding to the latest threats, environmental changes and that systems are properly configured in accordance with any changes to information security documentation and guidance.

]]> Agencies SHOULD undertake and document information security reviews of their systems at least annually.

]]> Reviews may be undertaken by personnel independent of the target of evaluation or by an independent third party to ensure that there is no (perceived or actual) conflict of interest and that an information security review is undertaken in an objective manner.

]]> Agencies SHOULD have information security reviews conducted by personnel independent to the target of the review or by an independent third party.

]]> Incidents, significant changes or an aggregation of minor changes may require a security review to determine and support any necessary changes and to demonstrate good systems governance. An agency may choose to undertake an information security review:

as a result of a specific information security incident;
because a change to a system or its environment that significantly impacts on the agreed and implemented system architecture and information security policy; or
as part of a regular scheduled review.

]]> In order to review risk, an information security review should analyse the threat environment and the highest classification of information that is stored, processed or communicated by that system.

]]> Depending on the scope and subject of the information security review, agencies may gather information on areas including:

agency priorities, business requirements and/or concept of operations;
threat data;
risk likelihood and consequence estimates;
effectiveness of existing counter-measures;
other possible counter-measures;
changes to standards, policies and guidelines;
recommended good practices; and
significant system incidents and changes.

]]> Agencies SHOULD review the components detailed in the table below. Agencies SHOULD also ensure that any adjustments and changes as a result of any vulnerability analysis are consistent with the vulnerability disclosure policy.

Component	Review
Information security documentation	The SecPol, Systems Architecture, SRMPs, SSPs, SitePlan, SOPs, the VDP, the IRP, and any third party assurance reports.
Dispensations	Prior to the identified expiry date.
Operating environment	When an identified threat emerges or changes, an agency gains or loses a function or the operation of functions are moved to a new physical environment.
Procedures	After an information security incident or test exercise.
System security	Items that could affect the security of the system on a regular basis.
Threats	Changes in threat environment and risk profile.
NZISM	Changes to baseline or other controls, any new controls and guidance.

]]>