News Own Your Online External Link Report it
News Own Your Online External Link
  1. Welcome to the National Cyber Security Centre
  2. Protect your organisation
  3. Least Privilege
Minimum Cyber Security Standards

Least Privilege

Organisational requirements incorporate the principle of least privilege when designing and authorising access to their systems.

Roles & Audiences

IT Specialist Decision makers Government

PUBLISHED DATE: 30 October 2025

Intent of this Standard

To minimise the time to detect breaches and compromises, organisations need to be able to proactively monitor for any anomalous or unintended changes or activity within their environment. Early detection will assist in limiting the impact of any breach or compromise and enables organisations to activate steps that facilitate their containment and incident response processes.

For this to be successful, an understanding of the baseline operating environment and behaviour will aid in the early detection and identification of unusual or unexpected behaviour. Establishing and maintaining a baseline for an operating environment, in conjunction with regular reviews, will effectively reduce false-positive detection rates.

The area of anomalous behaviour detection is broad, and this Standard seeks to provide guidance on initial deployments. This Standard addresses the areas of successful and unsuccessful user authentication, privilege escalation, and infrastructure utilisation.

Minimum capability maturity level

We have established criteria within a maturity model to provide clarity, including the expected minimum implementation level, which is CS-CMM 2.

Cyber Security Capability Maturity Model

The requirements are intended to meet and comply with each respective level of maturity. The levels provide a pathway that can be used by agencies to assess themselves against, with a view to improving maturity over time.

Each maturity level builds on the requirement from the preceding level.

Below are the requirements for each capability maturity level for this Standard.

  • CMM 4 Quantitively Controlled
    • Formal oversight is in place and assurance is obtained that third parties also implement least privileged access for users and administrators on their platforms.
    • Temporary accounts for administrative access is the preferred option.
  • CMM 3 Standardised
    • Local admin rights on workstations are granted by exception only.
    • A formal process to grant, review, and remove access is in place and regularly monitored for compliance, and instances of non-compliance are resolved within agreed timeframes.
    • Logging and monitoring for privileged user roles is independently reviewed and stored centrally.
    • Temporary access is actively encouraged and supported across the organisation.
    • A central register of all accounts is maintained.
    • Just-in-time (JIT) access is actively encouraged where practical, and required where user separation cannot be achieved.
  • CMM 2 Planned and Tracked
    • Local admin rights on workstations are limited where possible.
    • A formal process to grant, review, and remove user access is in place and largely complied with.
    • Logging and monitoring for privileged user roles is in place and regularly reviewed.
    • Separate accounts are used for standard user and privileged user activity where possible.
    • Systems and applications where least privileges are to be applied are identified.
  • CMM 1 Informal
    • Default user role settings are applied.
    • User account management is initiated manually via changes.
    • Ad-hoc and irregular reviews of user permissions may be undertaken.
    • Ad-hoc and irregular logging and monitoring of privileged users is implemented.
    • User roles are categorised by function, if at all.

Focus areas

Focus areas are applicable to the standard and are provided as a guide and not an exhaustive list. Each agency is best placed to identify areas of relevance.

The focus areas for this Standard are:

  • Corporate network

  • Cloud services

  • Software as a service

  • Bring-your-own-device access

  • Internal systems

  • Domain Naming System (DNS).

Suggested actions

The following list is not exhaustive. Organisations should identify which actions are appropriate to implement the Standard based on their current maturity level. However, the following actions follow good practice guidelines:

  • Separate user credentials are allocated for standard-user and privileged-user accounts.
  • A formal process of review and approval for granting privileged user access.
  • Systems or applications where least privilege is to be applied are identified and approved.
  • Roles and user groups are defined with permissions relevant to that role.
  • Accounts are allocated into roles and user groups.
  • Time and location-based restrictions are applied as appropriate for the role or system.
  • System-hardening processes include changing all default passwords and disabling default accounts and services not being used.
  • Regular audits are undertaken for usage, privileged users, and change to an account’s password and permissions.
  • Just-in-time (JIT) access control is implemented.
  • Role-based access control (RBAC) is used to best reflect an individual user’s privileges.
  • Logging for privileged user access is monitored and stored in a central location.
  • Ensure third parties are aware of and comply with an organisation's requirements around least privilege.

Key dependencies

To implement this Standard, there are likely to be requisite measures or technologies in place.

A number of dependencies apply to multiple standards. In general, these dependencies are less technology-specific and relate to business processes.

Key dependencies for this Standard include:

  • User permissions for roles have been defined.
  • All systems have been identified.
  • Privileged user lists are accurate and current to enable account permission settings and align individual users to accounts.
  • Logging functionality is available.
  • Management support and expectations around user access.
  • Policies set out expectations for what the default access level should be.

Measurable outcomes

To establish whether the Standard is being implemented, the outcomes are a tool an organisation may wish (or already have in place) to measure to help make this determination.

The outcomes have been designed to align with the requirements contained in the maturity level.

Outcomes for this Standard include:

  • Privileged user roles are defined based on the organisation's role settings.
  • A management or directive exists that sets out expectations for least privilege as a default.
  • An account register is maintained.
  • Evidence of privileged user audits.
  • All accounts have permissions relevant to their roles.
  • Regular review of assigned users and account privileges.
  • Least-privilege user permissions for roles are documented and reviewed on a regular basis.
  • Evidence of review and monitoring of privileged user activity.
  • Just-in-time (JIT) access is used to temporarily grant and revoke access.
Applicable NZISM controls

The NZISM controls listed below provide additional detail to assist with the implementation of this Standard and meeting New Zealand Government compliance requirements.

  • Control reference - 9.2.17.C.02.

    Agencies granting limited higher access to information or systems MUST ensure that:

    • the requirement to grant limited higher access is temporary in nature and is an exception rather than the norm,
    • an ITSM has recommended the limited higher access,
    • a cessation date for limited higher access has been set,
    • the access period does not exceed two months,
    • the limited higher access is granted on an occasional NOT non-ongoing basis,
    • the system user is not granted privileged access to the system,
    • the system user’s access is formally documented, and
    • the system user’s access is approved by the CISO.

    CID: 1505

  • Control reference - 16.4.37.C.01.

    Agencies MUST apply the Principle of Least Privilege when developing and implementing a Privileged Access Management (PAM) policy.

    CID: 6842

  • Control reference - 16.4.38.C.01.

    As part of a Privileged Access Management (PAM) policy, agencies MUST establish and implement a strong approval and authorisation process before any privileged access credentials are issued. 

    CID: 6846

  • Control reference - 16.4.38.C.02.

    Privileged Access credentials MUST NOT be issued until approval has been formally granted. 

    CID: 6847

  • Control reference - 16.4.41.C.02.

    Privileged account monitoring systems MUST monitor and record:

    • individual user activity, including exceptions such as out of hours access
    • activity from unauthorised sources
    • any unusual use patterns, and
    • any creation of unauthorised privileged access 

    CID: 6860

  • Control reference - 16.4.41.C.03.

    Agencies MUST protect and limit access to activity and audit logs and records. 

    CID: 6861

  • Control reference - 23.4.10.C.01.

    Agencies MUST apply the principle of least privilege and configure service endpoints to restrict access to authorised parties. 

    CID: 7466

Topics

Access management Access control
Top