News Own Your Online External Link Report it
News Own Your Online External Link
  1. Welcome to the National Cyber Security Centre
  2. Protect your organisation
  3. Assets and their Importance
Minimum Cyber Security Standards

Assets and their Importance

Organisations have a framework and process to enable timely asset identification and importance.

Roles & Audiences

IT Specialist Decision makers Government

PUBLISHED DATE: 30 October 2025

Intent of this standard

Organisations need to protect their assets. There are many asset types including:

  • intellectual property and customer data,
  • information technology (IT) and operational technology (OT) assets (hardware and software), and 
  • people and their skills.

This standard focuses on identifying assets in a cyber security context and understanding their importance so that the appropriate controls to achieve security objectives can be applied. This includes third-party managed services that process and protect organisational assets.

Implementing this standard will help to identify and prioritise assets that provide and support critical functions to an organisation using a risk-based approach. 

This standard intends to address the following areas.

Identification of assets

Understanding which assets are critical to the organisation is the first step before identifying and implementing controls to manage the confidentiality, integrity, and availability of these assets.

Organisations must also understand which dependencies exist between assets located either on-site or externally. 

Establishing an asset life cycle management process

Having a good asset management process will help in the deliberate and active management of an asset throughout its life while accounting for its total cost of ownership. This may include legacy assets and as-a-service (aaS) offerings. An organisation must ensure assets nearing the end of their supportable life are replaced before they are no longer supportable.

Risk management

Organisations will be able to apply appropriate controls once levels of risk have been identified. Implementing this standard will require organisations to undertake a risk assessment.

Identifying and understanding assets and their importance in your organisation will enable the application of appropriate security controls, which may include but is not limited to:

  • monitoring,
  • patch management, and
  • hardening.

It may also identify opportunities for procedural changes in processes for:

  • incident management,
  • data recovery, and
  • response planning.


Patching standard

Data recovery standard

Response planning standard

Minimum capability maturity level

We have established criteria within a maturity model to provide clarity, including the expected minimum implementation level, which is CS-CMM 2.

Cyber Security Capability Maturity Model

The requirements are intended to meet and comply with each respective level of maturity. The levels provide a pathway that can be used by agencies to assess themselves against, with a view to improving maturity over time.

Each maturity level builds on the requirement from the preceding level.

Below are the requirements for each capability maturity level for this Standard.

  • CMM 4 Quantitively Controlled
    • The organisation has a continuous monitoring regime in place for tracking and recording any changes in assets.
    • Risks are identified and managed through formalised processes.
  • CMM 3 Standardised
    • The organisation has a comprehensive inventory of assets, including hardware, software, and data (including cloud).
    • Assets are classified based on their criticality, sensitivity, and importance to the organisation.
    • All assets have an owner that complies with the organisation’s policy, to help manage shadow IT.
    • The organisation’s procurement policies require the security team’s endorsement prior to asset acquisitions being confirmed or completed.
  • CMM 2 Planned and Tracked
    • The organisation has a basic inventory of assets, including hardware, software, and data (including cloud).
    • An agreed policy on asset classification exists and is applied to critical systems and externally facing systems.
    • Ownership of assets is based on their criticality and impact.
    • Security requirements are included within the asset and service acquisitioning process.
    • The organisation has an asset management policy in place that includes end-of-life or end-of-support processes.
  • CMM 1 Informal
    • The organisation does not have a clear understanding of which assets they have, their importance, or where they are located.
    • Assets are classified by individuals, inconsistently marked, and based on an educated guess by the user.

Focus areas

Focus areas are applicable to the standard and are provided as a guide and not an exhaustive list. Each agency is best placed to identify areas of relevance.

Focus areas for this standard are:

  • Corporate network systems.
  • Cloud services (private, semi-public, public), as-a-service delivery, internal-facing systems.
  • External-facing/internet-facing systems.

Suggested actions

The following list is not exhaustive. Organisations should identify which actions are appropriate to implement the standard based on their current maturity level. However, the following actions follow good practice guidelines:

  • Establishing an asset lifecycle management policy and procedure(s).
  • Identifying and maintaining a current asset inventory - for hardware and software - that has the appropriate minimum configuration items listed, such as:
    • application name,
    • business owner,
    • licensing model,
    • server/instance names,
    • IP address & URL (if web-based),
    • vital dependencies (i.e. other systems, networks, etc.), and
    • other supporting information such as C&A artefacts and privacy impact assessments.

  • Establishing business owners for business-critical systems, software, and applications, and ensuring they fully understand their role and responsibilities as an owner.

  • Ensuring that procurement policies satisfy security requirements prior to asset acquisitions.

  • Procurement of assets is not typically allowed via corporate credit cards. Where this is permitted, ensure asset invoices are reconciled to procurement tools.

  • Continuous monitoring is in place to detect, manage, and track the movement and usage of assets, including oversight of the supply chain.

  • Identifying key personnel involved in the management of assets and systems to enable the identification of single points of failure.

Key dependencies

To implement this standard, there are likely to be requisite measures or technologies in place.

A number of dependencies apply to multiple standards. In general, these dependencies are less technology-specific and relate to business processes.

Key dependencies for this standard include:

  • An asset management tool exists, including resourcing to operate the tool.
  • A risk management strategy that includes a defined acceptable risk level exists.
  • A defined governance process (e.g. business impact analysis) for rating applications or systems as critical.
  • Sufficient capacity and capability to risk-assess critical assets for vulnerabilities and weaknesses.
  • A procurement process involves asset management.
  • Asset identification methodology is in place.
  • Asset governance model that accounts for procurement, onboarding, deployment, recovery, and disposal of assets.
  • Software dependencies have been identified and managed.

Measurable outcomes

To establish whether the standard is being implemented, the outcomes are a tool an organisation may wish (or already have in place) to measure to help make this determination.

The outcomes have been designed to align with the requirements contained in the maturity level.

Outcomes for this standard include:

  • An asset registry is kept current and regularly reviewed against risks.
  • Critical assets, and all dependencies (e.g. third-party software libraries) to operate these, have been identified and regularly reviewed.
  • Organisations have a current asset inventory (e.g. hardware, software, licences, versions numbers).
  • Organisations embed asset management processes and procedures into their procurement/sourcing process.
  • Organisations have asset life cycle management policies and procedures, ensuring that all assets are always supportable.
  • Business owners are assigned for critical software and applications, and they are also responsible for documenting and communicating any changes in the asset to all relevant support units or key stakeholders.
  • Demonstrate an understanding of the total cost of ownership (TCO) of assets for future years.
Applicable NZISM controls

The NZISM controls listed below provide additional detail to assist with the implementation of this standard and meeting New Zealand Government compliance requirements.

  • Control reference - 3.4.10.C.01

    Each system MUST have a system owner who is responsible for the operation and maintenance of the system.

    CID: 442

  • Control reference - 3.4.10.C.02

    System owners SHOULD be a member of the Senior Executive Team or an equivalent management position, for large or critical agency systems.

    CID: 443

  • Control reference - 5.1.9.C.01

    Agencies MUST ensure that every system is covered by a Security Risk Management Plan, which includes identification of risk owners.

    CID: 699

  • Control reference - 5.3.8.C.01

    Agencies SHOULD incorporate their security risk management plan into their wider agency risk management plan.

    CID: 808

  • Control reference - 8.4.8.C.01

    Agencies MUST account for all IT equipment containing media.

    CID: 1400

  • Control reference - 12.1.30.C.03

    Agencies SHOULD select products in the following order of preference:

    • A protection profile (PP) evaluated product,
    • Products having completed an evaluation through the AISEP or recognised under the Common Criteria Recognition Arrangement (CCRA),
    • Products in evaluation in the AISEP,
    • Products in evaluation in a scheme where the outcome will be recognised by the GCSB when the evaluation is complete, or
    • If products do not fall within any of these categories, normal selection criteria (such as functionality and security) will apply.

    CID: 3287

  • Control reference - 12.7.14.C.03

    Agencies SHOULD follow the Government Rules of Procurement.

    CID: 3639

  • Control reference - 13.1.9.C.01

    When the Information System reaches the end of its service life in an organisation, policy and procedures SHOULD be in place to ensure secure decommissioning and transfer or disposal, in order to satisfy corporate, legal and statutory requirements.

    CID: 3829

  • Control reference - 13.1.13.C.01.

    The Agency’s Accreditation Authority SHOULD confirm IA compliance on decommissioning and disposal

    CID: 3850

  • Control reference - 13.1.13.C.03

    The Agency’s Accreditation Authority SHOULD confirm asset register updates.

    CID: 3853

  • Control reference - 20.2.15.C.07.

    Agencies SHOULD implement security and operational management and monitoring tools which include the following minimum capabilities:

    • Identify VMs when initiated,
    • Validate integrity of files prior to installation,
    • Scan new VMs for vulnerabilities and misconfigurations,
    • Load only minimum operating system components and services,
    • Set resource usage limits,
    • Establish connections to peripherals only as required,
    • Ensure host and guest time synchronisation,
    • Detect snapshot rollbacks and scans after restores,
    • Track asset migration, and
    • Monitor the security posture of migrated assets.

    CID: 4909

Topics

Device security Risk management
Top