PUBLISHED DATE: 30 October 2025
Intent of this Standard
People can be both the biggest asset and the biggest liability when it comes to cyber security risks. This Standard seeks to ensure staff have the appropriate context, understanding, and awareness of cyber security to undertake their day-to-day jobs in a safe manner.
Through security awareness, an organisation can foster an environment where security is a primary consideration, in the same way that financial, operational, health and safety, and technical considerations are today.
Organisations will provide the necessary training and guidance to enable safe usage of the approved systems and applications. Any such training needs to be maintained, so that security awareness remains relevant.
Minimum capability maturity level
We have established criteria within a maturity model to provide clarity, including the expected minimum implementation level, which is CS-CMM 2.
Cyber Security Capability Maturity Model
The requirements are intended to meet and comply with each respective level of maturity. The levels provide a pathway that can be used by agencies to assess themselves against, with a view to improving maturity over time.
Each maturity level builds on the requirement from the preceding level.
Below are the requirements for each capability maturity level for this Standard.
-
CMM 4 Quantitively Controlled
-
Security awareness training is conducted at induction and throughout the year through several approaches, including:
-
training on any new systems, policies, or threats,
-
prompts and warnings and how these should be analysed and responded to,
-
memorandums and emails, and
-
ongoing campaigns aligned with broader industry initiatives.
-
-
Security policies and guidelines are regularly reviewed, updated, and communicated to all staff.
-
Staff are given focused security training for the roles they hold within the organisation.
-
Testing to validate the effectiveness of training is undertaken and results reported.
-
-
CMM 3 Standardised
- Staff are given security awareness training regularly throughout their employment, aligned with broader industry initiatives and reflective of the organisation’s specific threat landscape.
- Security policies are kept up-to-date, are published, and are accessible to all staff.
- Security requirements are embedded throughout organisational business-as-usual activities and included in employees’ job descriptions.
- Access to systems is secured through successful completion of training by integrated and automated methods.
-
CMM 2 Planned and Tracked
- Staff are given dedicated security awareness training when onboarded, to cover:
- approved systems and usage,
- password management,
- security risks and threats, and
- locations of security policies and guidelines.
- Security awareness training is reviewed and updated regularly and is part of the organisation’s training programme.
- Security awareness updates are reported to appropriate levels of seniority within an organisation.
- Staff are given dedicated security awareness training when onboarded, to cover:
-
CMM 1 Informal
- Security awareness training is provided on an ad-hoc basis.
- Security awareness training material is reviewed and updated sporadically.
Focus areas
Focus areas are applicable to the standard and are provided as a guide and not an exhaustive list. Each agency is best placed to identify areas of relevance.
The focus area for this Standard is:
- All organisational staff.
Suggested actions
The following list is not exhaustive. Organisations should identify which actions are appropriate to implement the Standard based on their current maturity level. However, the following actions follow good practice guidelines:
-
Develop both onboarding and ongoing security awareness training programmes for staff at all levels of the organisation.
-
Guidance and training for staff on the safe usage of information systems is provided and routinely reviewed to ensure it aligns with the organisation’s security posture.
-
Ensuring acceptable use or other cyber policies contain clear expectations on allowed and prohibited usage.
-
Compliance with associated policies is undertaken and the results are reported.
-
Develop and deploy role-based training programmes for staff in specialised roles.
Key dependencies
To implement this Standard, there are likely to be requisite measures or technologies in place.
A number of dependencies apply to multiple standards. In general, these dependencies are less technology-specific and relate to business processes.
Key dependencies for this Standard include:
-
Threats and risks are identified.
-
Acceptable tool inventory, policies, standards, and procedures exist.
-
Support and endorsement for security awareness training has been obtained from management.
-
Guidelines for staff when seeking guidance on cyber security issues are in place.
Measurable outcomes
To establish whether the Standard is being implemented, the outcomes are a tool an organisation may wish (or already have in place) to measure to help make this determination.
The outcomes have been designed to align with the requirements contained in the maturity level.
Outcomes for this Standard include:
- Cyber security awareness training programmes and guidance are included throughout staff employment lifecycles.
- Regular communication occurs, reinforcing expected and prohibited cyber security activities from all staff.
- Staff demonstrate an understanding of expected behaviours.
- Staff demonstrate an understanding of prohibited activities.
- Staff are empowered and encouraged to highlight security risks, issues, suspected compromises, or anomalies.
- Channels exist to facilitate communication, between management and staff.
- Security awareness programmes are in place.
- Online courses, modules, and education days are required to be completed by staff.
Applicable NZISM controls
The NZISM controls listed below provide additional detail to assist with the implementation of this Standard and meeting New Zealand Government compliance requirements.
-
Control reference - 3.2.18.C.01.
The CISO SHOULD be responsible for overseeing the development and operation of information security awareness and training programs within the agency.
CID: 351
-
Control reference - 3.3.8.C.03.
ITSMs SHOULD select and coordinate the implementation of controls to support and enforce information security policies.
CID: 393
-
Control reference - 3.3.8.C.04.
ITSMs SHOULD provide leadership and direction for the integration of information security strategies and architecture with agency business and ICT strategies and architecture.
CID: 394
-
Control reference - 3.3.10.C.02.
ITSMs SHOULD monitor and report on compliance with information security policies, as well as the enforcement of information security policies within the agency.
CID: 402
-
Control reference - 3.3.13.C.01.
ITSMs SHOULD provide or arrange for the provision of information security awareness and training for all agency personnel.
CID: 413
-
Control reference - 3.3.13.C.02.
ITSMs SHOULD develop technical information materials and workshops on information security trends, threats, good practices and control mechanisms as appropriate.
CID: 414
-
Control reference - 9.1.4.C.01.
Agency management MUST ensure that all personnel who have access to a system have sufficient training and ongoing information security awareness.
CID: 1449
-
Control reference - 9.1.5.C.01.
Agencies MUST provide ongoing information security awareness and a training programme for personnel on topics such as responsibilities, legislation and regulation, consequences of non-compliance with information security policies and procedures, and potential security risks and counter-measures.
CID: 1452
-
Control reference - 9.1.5.C.02.
Agencies MUST provide information security awareness training as part of their employee induction programmes.
CID: 1453
-
Control reference - 9.1.6.C.01.
Agencies SHOULD align the detail, content and coverage of information security awareness and training programmes to system user responsibilities.
CID: 1457
-
Control reference - 9.3.5.C.01.
Agencies MUST make their system users aware of the agency’s Web usage policies.
CID: 1532
-
Control reference - 9.3.5.C.02.
Personnel MUST formally acknowledge and accept agency Web usage policies.
CID: 1533
-
Control reference - 14.3.5.C.01.
Agencies MUST develop and implement a policy governing appropriate Web usage.
CID: 1272
-
Control reference - 15.1.18.C.01.
Agencies MUST make their system users aware of the agency’s email usage policies.
CID: 1726
-
Control reference - 16.1.44.C.03.
Agency log-on banners SHOULD cover issues such as:
- the system’s classification,
- access only being permitted to authorised system users,
- the system user’s agreement to abide by relevant security policies,
- the system user’s awareness of the possibility that system usage is being monitored,
- the definition of acceptable use for the system, and
- legal ramifications of violating the relevant policies.
CID: 1901
-
Control reference - 16.4.43.C.01.
Agencies MUST implement a Privileged Access Management (PAM) policy training module as part of the agency’s overall user training and awareness requirement.
CID: 6868
-
Control reference - 16.7.44.C.01
When agencies’ implement MFA they MUST ensure users have an understanding of the risks, and include appropriate usage and safeguards for MFA in the organisation’s user training and awareness programmes.
CID: 6960
-
Control reference - 20.1.27.C.01.
Agencies MUST develop and implement user awareness and training programmes to support and enable safe use of cloud services (See Section 9.1 – Information Security Awareness and Training).
CID: 4854
How helpful was this page?
This site is protected by reCAPTCHA and the Google Privacy Policy External Link and Terms of Service External Link apply.