Minimum Cyber Security Standards

Minimum cyber security standards and insights uplift 

We have developed Minimum Cyber Security Standards, in line with our Government Chief Information Security Officer (GCISO) mandate. They have been designed to focus on the basics, to create visibility of cyber security practices, and to support an uplift.

The Minimum Cyber Security Standards establish minimum expectations for GCISO mandated agencies cyber security practices. They are positioned between the controls in the New Zealand Information Security Manual and the NCSC Cyber Security Framework.

The Standards include a capability maturity model that identifies actions for improvement.

Implementation

The standards will apply from the 30th of October 2025. 

Mandated agencies must adopt practices that meet the minimum level and be able to report back on this. 

We are consulting on the Standards in collaboration with PSR

We are coordinating closely with PSR and have aligned our consultation and publication timeframes. Consultation on the Standards with GCISO mandated agencies and industry partners started on 16 June and will continue until 4 July 2025. To support this consultation, the Standards will be published on the NCSC website. We are coordinating across NCSC and GCSB to support communication and engagement activities.

Feedback from the consultation will help us evaluate that we have set the Standards at the right level. The final Standards are planned for publication in October 2025 with agencies directed to report back on implementation as part of the PSR assurance reporting process in April 2026.

Scope

The Minimum Cyber Security Standards apply to all business-critical and external facing systems. Prior to implementing the Standards, Agencies will need to identify this scope.

Contact us

For further information, to ask questions or give feedback, email the Government Chief Information Security Officer (GCISO) team.