Information security guidance

This guide is for project managers working on ICT projects that need to meet New Zealand Government Information Security standards, regulations, and policies.

Information security guidance for project managers [PDF, 270 KB]

(July 2019) Understanding the different possible roles involved in cloud computing, their respective responsibilities, and how they interrelate, will be helpful for organisations using cloud services.

Cloud Services: Who’s Who – Roles and Responsibilities [PDF, 455 KB]

(July 2019) A variety of cloud service models are available to Consumers, each entailing different types of service management operation, as well as differing levels of responsibility for security for the parties involved.

Cloud Computing: Shared Responsibility Security Models [PDF, 477 KB]


(Nov 2019) Weak information security (InfoSec) policies and procedures, and inappropriate user access to networks and systems, have been identified as key risks for many government agencies. The National Cyber Security Centre (NCSC) has developed the following guidance to help agencies address these issues and improve their Infosec capability and maturity.

Improving information security: The Importance of policy and procedures [PDF, 349 KB]


Working Remotely: Advice for Organisations and Staff

(March 2020) This document has been compiled to help organisations think about the cybersecurity risks that arise when staff need to work from remote locations. We’ve provided a series of recommendations that can be used as a starting point in addressing these risks.

Download the NCSC's advice on working remotely [PDF, 488 KB]

Working Remotely: Getting Started on Cloud Security

(Marh 2020) Cloud services are one of the few practical solutions available to meet the challenge of working remotely, however the movement to cloud services at pace creates risks. Managing these risks should be an organisation’s objective in order to ensure short-term fixes don’t become long-term problems.

Download the NCSC's advice on cloud security [PDF, 426 KB]

(April 2020) Microsoft Azure and Office 365 (O365) are cloud services used by many organisations providing remote working solutions for staff. Some organisations already have a well-established O365 security posture, but for those who are required to stand it up in a hurry, this document provides straightforward starting guidance to securing the O365 environment.

Download the NCSC's advice on securing Microsoft Azure and Office 365 [PDF, 180 KB]

(April 2020) This paper sets out the Government Chief Information Security Officer’s advice to public servants on important security settings when using Zoom remote conferencing services for official New Zealand Government business, either within a public-sector organisation, or when collaborating with partner agencies.

Download advice from the GCISO on using Zoom [PDF, 309 KB]

(May 2020) There are a number of technology options for communicating that now include voice, group messaging, and video. While many of these technologies require specific measures to ensure they are used securely, some enduring principles can be used to help organisations make sound security decisions.

Download advice on secure video, voice, and messaging communications [PDF, 637 KB]

(May 2020) This page contains guidance designed to help your organisation commence the process of securing cloud resources in Amazon Web Services (AWS).

Download advice on securing Amazon Web Services [PDF, 481 KB]