Are DHB’s, Crown Entities, Local Government bodies and other similar entities required to use the NZISM?
The NZISM is mandatory for prescribed government agencies, refer NZISM section 1.2.3.
In general terms this does not include DHB’s, Crown Entities, Local Government bodies and other similar entities. However, these entities will be primarily governed by their own legislation, regulation and in some cases have a responsible Minister. In all cases there is a requirement and responsibility for good governance of which IT Governance is an integral part. It is vital that these entities are able to demonstrate good governance.
Why use the NZISM?
The NZISM provides clear and comprehensive guidance on information systems security in support of good and demonstrable governance practices. This includes the application of control sets (all classifications) as baseline controls and the implementation of Certification and Accreditation processes.
Do Council (and other entity) systems that process UNCLASSIFIED, IN-CONFIDENCE, and SENSITIVE information require Certification and Accreditation?
The controls required for information and systems classified RESTRICTED and below have very few differences. The NZISM control set is designed to accommodate all classifications from RESTRICTED down as a single set of baseline controls. The key here is not the classification of the information, but in the need to demonstrate good governance.
The Certification and Accreditation process is the principal method of providing demonstrably good IT governance and risk management. It also informs the executive on a regular basis of IT governance efforts. The alternative is to implement a continuous audit programme which can be costly and divert internal technical resources.
