News Own Your Online External Link Report it
News Own Your Online External Link
  1. Welcome to the National Cyber Security Centre
  2. Protect your organisation
  3. Risk Management
Minimum Cyber Security Standards

Risk Management

Organisations have considered and assessed all risks and threats, including those for cyber security, and have put in place adequate measures that meet acceptable risk levels. Organisations use a defined and documented risk-based approach to identify and control any new and evolving risks and threats, and to assist in the identification of potential areas for investment.

Roles & Audiences

IT Specialist Decision makers Government

PUBLISHED DATE: 30 October 2025

Intent of this Standard

Organisations must actively identify, assess, and manage risks across the business as part of their day-to-day operations, including cyber security risks. The primary purpose of a defined risk management approach is to allow for a common understanding of risks and threats, their impact, and to take the appropriate measures to reduce impacts, in case they eventuate, to an accepted level.

By implementing this Standard, organisations will be able to ensure identified risks have adequate measures in place to mitigate those risks to pre-agreed levels. In particular, they will:

  • have clearly defined acceptable residual risk levels to help inform mitigation and investment decisions,
  • ensure risks are identified and managed beyond the traditional business and financial risks,
  • have cyber security risk handled as part of the organisation’s risk. management, rather than separately,
  • continually track mitigated risks and the management of any residual risk,
  • obtain assurance that their current and planned mitigations are adequately designed to meet the changing threat landscape,
  • ensure that security assurance activities effectively identify emerging threats and trends that may have an adverse impact, and
  • ensure that accountability, responsibility, and ownership of risks are clearly assigned to those who have control over the system/risk management.

Implementing these activities will assist organisations to protect data and ensure availability, enabling operational activities to continue unimpeded.

Minimum capability maturity level

We have established criteria within a maturity model to provide clarity, including the expected minimum implementation level, which is CS-CMM 2.

Cyber Security Capability Maturity Model

The requirements are intended to meet and comply with each respective level of maturity. The levels provide a pathway that can be used by agencies to assess themselves against, with a view to improving maturity over time.

Each maturity level builds on the requirement from the preceding level.

Below are the requirements for each capability maturity level for this Standard.

  • CMM 4 Quantitively Controlled
    • Risks are regularly reviewed for changes in risk profile and corresponding controls for effectiveness.
    • Emerging threats and vulnerabilities are mapped for relevance back to an organisation’s risk profile.
    • Identification and communication of risks occurs organisation-wide.
    • Assessments are automated and dynamically adjusted in conjunction with changes in risk appetite, including external independent assessments.
  • CMM 3 Standardised

    A cyber risk framework is adopted; cyber security risks are bundled with other organisational risk areas.

    • Risk tolerance is clearly defined, allowing for prioritisation and focused risk mitigation.
    • Risks and associated mitigations have clearly identified individual owners.
    • Cyber security risks from all areas of the business are assessed as part of the wider risk process.
    • Identification and communication of risks occur between management and staff.
    • Risk assessments are undertaken regularly, the results are reported, and areas for improvement are actioned.
  • CMM 2 Planned and Tracked
    • A cyber risk framework is adopted across the business, and cyber security risks identified.
    • Risk tolerance is defined and applied, addressing critical business functions.
    • Risks and associated mitigations may have non-specific or departmental owners.
    • Awareness of changes to the threat landscape are regularly reviewed for relevance and impact.
    • Identification and communication of risks is top-down.
  • CMM 1 Informal
    • Some risk management processes exist, but do not conform to a standard and/or only include traditional business and financial risks.
    • Risk tolerance is not clearly defined, resulting in inconsistent prioritisation and criticality of any remedial work.
    • Ownership of risk is unclear or not appropriately assigned.

Focus areas

Focus areas are applicable to the Standard and are provided as a guide and not an exhaustive list. Each agency is best placed to identify areas of relevance.

The focus areas for this Standard are:

  • Business-critical systems.
  • Externally facing systems.

Suggested actions

The following list is not exhaustive. Organisations should identify which actions are appropriate to implement the Standard based on their current maturity level. However, the following actions follow good practice guidelines:

  • Adopt an industry-standard risk management approach for the organisation (for example ISO 31000 or the NIST Risk Management Framework).
  • Develop risk tolerance levels with executive and governance to help inform the organisation's risk mitigation strategies.
  • Define accountabilities and ownership within the organisation for risk, including those for cyber security risk.
  • Risk remediation is prioritised and undertaken according to a combined likelihood and impact assessment, and the organisation’s defined risk appetite.
  • Cyber security risk profiles are regularly reviewed and updated to reflect an organisation’s risk exposure.
  • Cyber security policies and procedures are developed and implemented to assist organisations to meet business outcomes.

Key dependencies

To implement this Standard, there are likely to be requisite measures or technologies in place.

A number of dependencies apply to multiple standards. In general, these dependencies are less technology-specific and relate to business processes.

Key dependencies for this Standard include:

  • A digital asset inventory exists and is kept up to date.
  • Channels for identifying, assessing, and reporting threats and risks exist.
  • Organisations have identified their critical information and digital assets.

Measurable outcomes

To establish whether the Standard is being implemented, the outcomes are a tool an organisation may wish (or already have in place) to measure to help make this determination.

The outcomes have been designed to align with the requirements contained in the maturity level.

Outcomes for this Standard include:

  • An industry-standard risk management approach is used by the organisation.
  • Risk assessments are undertaken regularly, the results are reported, and areas for improvement are actioned.
  • Risk and associated mitigations are prioritised, reflecting the organisation's risk appetite and risk evaluation.
  • Risks have clearly defined owners and regular review dates.
  • An organisation can demonstrate a coordinated approach to identifying new and emerging threats across the cyber landscape.
  • Supply chain risks are identified, assessed, and managed as part of the wider risk management program.
  • Cyber security risks are handled as part of the organisation’s wider risk management process. These broadly cover physical security, personnel security, and information security.
  • Emerging threats and vulnerabilities are mapped for relevance back to an organisation’s cyber risk profile.
  • Existence of formalised risk acceptance through certification and accreditation policy and procedures.
Applicable NZISM controls

The NZISM controls listed below provide additional detail to assist with the implementation of this Standard and meeting New Zealand Government compliance requirements.

  • Control reference - 3.2.12.C.03.

    The CISO SHOULD work with business teams to facilitate security risk analysis and security risk management processes, including the identification of acceptable levels of risk consistently across the agency.

    CID: 329

  • Control reference - 5.3.6.C.01.

    Agencies SHOULD determine agency and system specific security risks that could warrant additional controls to those specified in this manual.

    CID: 802

  • Control reference - 5.3.7.C.01.

    The Security Risk Management Plan SHOULD contain a security risk assessment and a corresponding treatment strategy.

    CID: 805

  • Control reference - 5.3.8.C.01.

    Agencies SHOULD incorporate their SRMP into their wider agency risk management plan.

    CID: 808

  • Control reference - 5.3.9.C.01.

    Agencies SHOULD develop their SRMP in accordance with international standards for risk management.

    CID: 812

  • Control reference - 6.1.7.C.01.

    Agencies SHOULD undertake and document information security reviews of their systems at least annually.

    CID: 1040

  • Control reference - 6.1.8.C.01.

    Agencies SHOULD have information security reviews conducted by personnel independent to the target of the review or by an independent third party.

    CID: 1043

  • Control reference - 6.1.9.C.01.

    Agencies SHOULD review the components detailed below. Agencies SHOULD also ensure that any adjustments and changes as a result of any vulnerability analysis are consistent with the vulnerability disclosure policy.

    Component: Threats
    Review: Changes in threat environment and risk profile.

    CID: 1048

  • Control reference - 6.2.6.C.01.

    Agencies SHOULD analyse and treat all vulnerabilities and subsequent security risks to their systems identified during a vulnerability assessment.

    CID: 1069

  • Control reference - 6.2.4.C.01.

    Agencies SHOULD implement a vulnerability analysis strategy by:

    • monitoring public domain information about new vulnerabilities in operating systems and application software,
    • considering the use of automated tools to perform vulnerability assessments on systems in a controlled manner,
    • running manual checks against system configurations to ensure that only allowed services are active and that disallowed services are prevented,
    • using security checklists for operating systems and common applications, and
    • examining any significant incidents on the agency’s systems.

    CID: 1063

Topics

Risk management Governance Frameworks
Top