This year, the PSR annual self-assessment assurance process includes additional questions focused on INFOSEC,  which are required in order to complete the assessment. 

This document provides guidance on what good information security should look like, in response to the additional INFOSEC questions.  This guidance is aligned with the NZISM, and recognised international information security frameworks. It also points agencies to their obligations under the Protective Security Requirements PSR Framework.

PSR annual self-assessment assurance process - guidance on additional INFOSEC questions [PDF, 438.15 KB]

New Zealand’s National Cyber Security Centre (NCSC) – a part of the Government Communications Security Bureau – has developed a nationwide understanding of the cyber security resilience of New Zealand’s NSOs. This report shares insight gathered from the first comprehensive cyber security survey of New Zealand’s NSOs.
It identifes four key focus areas in which New Zealand organisations could improve, and provides practical steps that organisations can take to strengthen their cyber security posture and resilience.

‘Thinking ahead. Being prepared. Cyber security resilience of New Zealand’s nationally Significant Organisations 2017-2018’

The rapid adoption of digital technologies and services, and the drive to increase efficiency means that the traditional hard separation between these physical infrastructure and information technology environments is diminishing.

This leads to an increased risk that industrial control systems and infrastructure can become vulnerable to cyber threats.

To help address this risk the National Cyber Security Centre (NCSC) in partnership with the New Zealand Control Systems Security Information Exchange (CSSIE) has developed the new voluntary standards cyber security standard for control systems operators (VCSS-CSO).  

This standard builds on the initial VCSS-CSO developed by industry and the NCSC in 2013.

Voluntary Cyber Security Standards for Industrial Control Systems Operators (VCSS-CSO)


China’s Cybersecurity Law aims to protect national security – the defnition of which extends to maintaining territorial integrity, social and economic stability, and the public order. It regulates how organisations and businesses should protect digital information, including whether and under what circumstances it can be transferred out of mainland China, and introduces measures aimed to safeguard internet systems, products and services against cyber-attacks.

It’s important that you understand how the law’s requirements may relate to you. This information sheet provides general information and does not constitute legal advice. You may wish to seek expert advice specifc to your circumstances.

Understanding China's cybersecurity Law

ICT Security and Related Services Panel (SRS Panel) 
The Security and Related Services Panel are a group of industry experts contracted to provide government agencies with ICT services and advice on a range of security and privacy practices. The Panel helps government agencies manage privacy and security issues effectively.

CERT NZ provides a central point for all New Zealanders to seek advice and report cyber incidents
While CERT NZ has a primary responsibility for cyber threat reporting, and a coordination role in threat response, NCSC takes the lead in the response to significant cyber events — particularly those which may impact on national security, and our nationally significant systems and information.

The ORB has been developed by Netsafe to offer all New Zealanders a simple and secure way to report their concerns about online incidents.
In some situations your Internet Service Provider may also be able to offer guidance

Internet Storm Centre is a program within the SANS Technology Institute, a branch of the SANS Institute which monitors the level of malicious activity on the Internet, particularly with regard to large-scale infrastructure events.
CERT Coordination Centre is part of the Software Engineering Institute, which is based in the Carnegie Mellon University, USA.

Netsafe is an independent not for profit New Zealand organisation focused on online safety.  They provide online safety help, support expertise and education to people in New Zealand.
Connect Smart contains advice for home-users, businesses and schools, to help New Zealander's protect themselves and their businesses online.  Connect Smart is led by the government's National Cyber Policy Office (NCPO), part of the Department of the Prime Minister and Cabinet, in partnership with a range of government agencies, non-government organisations, and private sector.

The Department of Internal Affairs is responsible for investigating complaints about unsolicited commerical electronic messages, commonly referred to as spam.

The ORB and send a copy to NCSC
Contact your local Police station

It is important to note these are supplementary references and resources to assist agencies in having a more complete understanding of the context of the controls specified in  the NZISM.

The Cloud Security Alliance (CSA)  provides a number of resources on cloud security and cloud management –

CSA also publish the Cloud Control Matrix (CCM) now at version 3.0.1 (December 2018 update) – 

Cloud Computing Threats Report -

The Center for Internet Security (CIS) publishes their CIS Controls - 20 important cybersecurity recommendations. Now in version 7.0 (April 2019), the CIS Controls are a prioritised set of actions any organisation can follow to help improve their cybersecurity posture – see:   Controls can be downloaded as an Excel or .pdf file. 

Forbes Insights: Perception Gaps in Cyber Resilience: Where Are Your Blind Spots? The hidden risks of shadow IT, cloud and cyber insurance
Managing Cloud Complexity

Beazley: 2019 Breach Briefing

Symantecs: Cloud Security Threat Report 2019

Sophos Whitepapers: Securing the public cloud: Seven Best Practices 

Digital Shadows reports

Digital Risk: The C-Suite's Critical Missing Part of Overall Risk

A Practical Guide to Reducing Digital Risk: Tools and Approaches for Security, Intelligence, and Fraud Terms


GitHUB - An Open Source Information Security hub providing tools, techniques and reference material.