Minimum Cyber Security Standards

Introduction

The Minimum Cyber Security Standards (the Standards) will help to drive sector-wide uplift against foundational cyber security practices. 

They are intended for GCISO-mandated agencies who will be required to implement them, however non-mandated agencies wishing to adopt the Standards are also welcome to do so.  

A key consideration when developing the Standards was ensuring alignment with the Protective Security Requirements (PSR) Assurance Framework. The framework provides the assurance mechanism for the NCSC to assess agency compliance with the Standards.

With the introduction of the Standards, we will continue to build greater visibility of the system through consolidating insights across other initiatives including:

• Protective Security Requirements (PSR)
• New Zealand Information Security Manual (NZISM)
• Vulnerability Insights Programme
• NCSC Cyber Security Framework

We will use the insights gained from these initiatives, along with other data, to refine, update, and more effectively deploy our products and services for GCISO-mandated agencies. 

Government Chief Information Security Officer (GCISO)

About the Standards

The Standards were selected based on our assessment of the most likely vectors for attack, as well as actual incidents that have occurred, and discussions held with government agencies during the scoping stage. 

Although the Standards do not cover the entire cyber security spectrum, they are an important standalone tool that provides alignment between policy requirements as established in the Protective Security Requirements, the NCSC’s Cyber Security framework, and the technical controls within the NZISM. 

The Standards:

• establish clear expectations about the basics and map to both the Cyber Security Framework and the NZISM,
• help agencies to understand, benchmark and improve their practices against a maturity model, and
• generate system insights through agency reporting. These insights will help build our dashboard of agency performance, which will inform the development and renewal of products and services.

The NCSC’s Cyber Security Framework provides a basis for the development of the Standards. The diagram below illustrates how the 10 Standards align with the five functions of the NCSC Cyber Security Framework.

The Standards

There are 10 Minimum Cyber Security Standards:

• Risk Management
• Security Awareness
• Assets and their Importance
• Secure Configuration of Software
• Patching
• Multi-factor Authentication (MFA)
• Detect Unusual Behaviour
• Least Privilege
• Data Recovery
• Response Planning

Scope

The Standards apply to all business-critical and externally facing systems, where applicable. 

These are defined as follows:

• Business-critical: systems and applications that must function for an organisation to conduct normal business operations which includes internal and external systems. 
• Externally facing: systems and applications that are outside of the authorisation boundary established by the organisation and falls under the business-critical definition or have connectivity to a business-critical system(s).

How the Standards are structured

Each Standard has been designed to provide sufficient detail to enable agencies to implement them and further enhance the security maturity level for that Standard.

Each Standard has been designed to help organisations understand the what, why, and how aspects, in relation to their purpose and implementation. The Standards have a maturity model built in, which will assist in standardising how cyber risks can be tracked and measured over time. 

Each standard is made up of the following elements:

• Standard statement: A summary statement provides an overview of what the Standard is.
• Maturity level: Criteria within a maturity model to provide clarity, including the expected minimum implementation level. The requirements are intended to meet and comply with each respective level of maturity. The levels provide a pathway that can be used by agencies to assess themselves against, with a view to improving maturity over time. Each successive maturity level builds on the requirement from the preceding level. 
• Focus area: The areas the Standard is applicable to. Provided as a guide and not an exhaustive list, each agency is best placed to identify areas of relevance.
• Intent of the standard: What the Standard is trying to achieve, including the security risks it is addressing.
• Suggested actions: Suggested actions that could be taken to achieve the Standard, aligned to the Measurable Outcomes section.
• Key dependencies: To implement the Standard, there are likely to be requisite measures or technologies in place. A number of dependencies apply to multiple Standards. In general, these dependencies are less technology-specific and relate to business processes.
• Measurable outcomes: To establish whether the Standard is being implemented, the outcomes are one tool an organisation may wish (or already have in place) to measure to help make this determination. The outcomes have been designed to align with the requirements contained in the maturity level.
• NZISM controls: Relevant controls that provide additional detail to assist in implementing the Standard and meeting New Zealand Government compliance requirements.

Cyber Security Capability Maturity Model (CS-CMM)

A maturity model helps organisations to evaluate their maturity against the security requirements set out in the Standards.

The model selected is the PSR Capability Maturity Model (PSR-CMM) which has five levels, however, for the purpose of the Minimum Cyber Security Standards, four levels will be used at present. In the future we will review the levels to determine whether a fifth level is required. 

Learn more about the Cyber Security Capability Maturity Model

Learn more about the PSR Capability Maturity Model External Link

Related information

Download the Minimum Cyber Security Standards [PDF, 673 KB]

Download Guidance on the Minimum Cyber Security Standards [PDF, 397 KB]

Glossary of terms