The Minimum Cyber Security Standards (the Standards) establish expectations for agencies mandated by the GCISO.
They are positioned between the controls in the New Zealand Information Security Manual, and the NCSC Cyber Security Framework.
The Standards include a capability maturity model that identifies actions for improvement.
Scope
The Minimum Cyber Security Standards apply to all business-critical and external facing systems. Prior to implementing the Standards, agencies will need to identify this scope.
Consultation on the Standards
We aligned our consultation and publication timeframes in collaboration with the Protective Security Requirements (PSR).
Consultation on the Standards with GCISO mandated agencies and industry partners ran from 16 June to 4 July 2025.
To support our consultation, the Standards were published on the NCSC website. We have coordinated across NCSC and the GCSB to support communication and engagement activities.
Feedback from the consultation will help us evaluate that we have set the Standards at the right level.
Minimum Cyber Security Standards consultation document [PDF, 643 KB]
Implementation of the Standards
The final Standards are planned for publication on 30 October 2025, with agencies directed to report back on implementation as part of the PSR assurance reporting process in April 2026.
Contact us
For further information, to ask questions or give feedback, email the Government Chief Information Security Officer (GCISO) team at gciso@gcsb.govt.nz.