Skip to main content

Security and privacy governance

Find out about roles and responsibilities when it comes to security and privacy.

What you need to know

  • You must have protective security governance arrangements — see Protective Security Requirements
  • Websites must have a business owner who is a senior manager, and a manager and administrators
  • You must have documentation for online systems and management procedures
  • Raise concerns with your Chief Information Security Officer
  • Discuss security and privacy governance with your IT Security Manager

Chief Security Officer

You must appoint a senior manager as the Chief Security Officer (CSO).

They're responsible for the agency protective security policy and oversight of protective security practices.

Roles and responsibilities in your organisation

Privacy Officer

You must appoint a Privacy Officer.

They don't need special training, but they do need to understand the 12 Privacy Principles.

What is a privacy officer? Am I required to have a privacy officer

Agency Head

The agency head endorses and is accountable for information security in your agency.

Agency Head

Chief Information Security Officer (CISO)

The CISO sets the strategic direction for information security in your agency.

Chief Information Security Officer

Information Technology Security Managers (ITSM)

ITSM provide information security leadership and management in your agency.

Information Technology Security Managers

System owners

System owners obtain and maintain accreditation of their systems, including directly related services such as cloud.

System owners

System users

System users comply with information security policies and procedures in your agency.

System users


If you've got any concerns about security and privacy governance, talk to your CISO.

Make sure you're familiar with the NZ Cyber Security Strategy.

NZ's Cyber Security Strategy

Utility links and page information

Was this page helpful?
Thanks, do you want to tell us more?

Do not enter personal information. All fields are optional.

Last updated