News Own Your Online External Link Report it
News Own Your Online External Link
  1. Welcome to the National Cyber Security Centre
  2. What we do
  3. Regulations and standards
  4. New Zealand Information Security Manual

Te Aratohu Haumaru Mōhiohio i Aotearoa (NZISM) New Zealand Information Security Manual

The New Zealand Information Security Manual (NZISM) is the New Zealand Government's manual on information assurance and information systems security.

The NZISM is intended for use by New Zealand government agencies and organisations. Crown entities, local government and private sector organisations are also encouraged to use the NZISM.

The NZISM is a practitioner’s manual designed to meet the needs of:

  • agency information security executives, and
  • vendors, contractors and consultants who provide services to agencies.

The NZISM explains processes and defines controls essential for protecting New Zealand government information and systems.

It promotes a consistent approach to information assurance and information security across all New Zealand government agencies. The NZISM is based on security threat and risk assessments for any information that is collected, processed, stored or communicated by New Zealand government systems with corresponding risk treatments (control sets) to manage security risk.

The NZISM is intended to support the structure and assist the implementation of the New Zealand Government policy that requires agencies to protect the privacy, integrity and confidentiality of the information they collect, process, store and archive. 

Its role in information governance and assurance helps these organisations to secure their information systems and communications.

New Zealand Information Security Manual External Link

What is in the NZISM?

The NZISM provides a set of essential or baseline controls and additional good and recommended practice controls for use by government agencies. 

The NZISM also provides additional contextual information and references, to support agencies making informed decisions, on the risk-based use of the recommended controls.

Each agency must make its own decisions on whether to use or not use good practice controls based on its assessment and determination of residual risk related to information security.

The NZISM is broken down into the following high-level topics.

  • Asset management – data and systems you manage, and what business needs they support.
  • Authentication – The process or action of verifying the identity of a user or process to be true, genuine, or valid.
  • Identity and access management – Ensuring that only authorised users or systems can access data or services.
  • Incident management – Activities to minimise the immediate and long-term business impact of security incidents.
  • Logging – The collection of network and device activity data for security purposes.
  • Risk management – Governing, communicating and making decisions about risk.
  • Supply chain – The extended network of relationships relied upon to deliver products, systems, and services.
  • Vulnerability management – Keep your systems protected throughout their lifecycle.
  • Zero trust – Trust is continuously earned based on factors, such as identity, context and activity.

Latest updates

For the most recent updates to the NZISM.

Latest updates | New Zealand Information Security Manual External Link