Skip to main content


All government-held information requires appropriate protection. Government agencies must consider the nature and value of the information they’re managing and the measures needed to protect it.

Security is about adequate protection for government-held information — including unclassified, personal and classified information — and government assets.

You need to start by evaluating the risks associated with your information or assets, and then apply security proportionate to the level of risk.

Information security

Protective Security Requirements (PSR)

The Protective Security Requirements (PSR) outline the Government’s expectations for managing personnel, physical and information security. The requirements:

  • will better help you manage business risks and assure continuity of service delivery
  • set out what agencies must and should consider, to ensure they are managing security effectively.

The PSR sets out security requirements, governance and security best practice guidance and support, and includes the New Zealand Information Security Manual (NZISM).

Protective Security Requirements (PSR)

New Zealand Information Security Manual (NZISM)

The New Zealand Information Security Manual details processes and controls that are essential for the protection of all New Zealand Government information and systems. Controls and processes representing good practice are also provided to enhance the essential, baseline controls. Baseline controls are minimum acceptable levels of controls.

New Zealand Information Security Manual (NZISM)

Security services and advice

Industry experts can be contracted to provide government agencies with a range of security and privacy services and advice via the Marketplace. There have different specialisations and agencies should consider their specific needs before choosing a provider.

The Information Security Professional Services catalogue is part of an ongoing digital transformation programme of work to help government agencies to lift privacy and security standards.

Information Security Professional Services catalogue — Pae Hokohoko | Marketplace

Certification and Accreditation

Certification and Accreditation is a fundamental governance and assurance process, designed to provide the Board, Chief Executive and senior executives confidence that information and its associated technology are well managed, that risks are properly identified and mitigated and that governance responsibilities can demonstrably be met. It is essential for credible and effective information assurance governance.

Risk assessments before using public cloud services

Agencies should make use of services available on the public cloud.

The New Zealand Government has worked closely with security agencies to address their major concerns about using public cloud services. This guidance helps agencies manage those risks.

Risk assessments before using public cloud services

Guidance for lower risk services

New Zealand Government guidance related to managing lower risk information has also been developed.

Security and privacy for websites

Cyber security

National Cyber Security Centre (NCSC)

The NCSC is part of the Government Communications Security Bureau. Its role is to help New Zealand’s most significant public and private sector organisations to protect their information systems from advanced cyber-borne threats and to respond to incidents that have a high impact on New Zealand.

National Cyber Security Centre

Computer Emergency Response Team (CERT-NZ)

The national CERT-NZ is part of an international network of similar teams working to improve cyber security. CERT-NZ provides trusted and authoritative information and advice, and helps build a profile of the threat landscape in New Zealand.



NZ Government agencies are accountable for ensuring they meet privacy and security expectations and requirements. By implementing the PSR you will:

  • better manage business risks
  • assure continuity of service delivery
  • assure the Government and the public that you have appropriate, effective measures in place to protect New Zealand’s people, information and assets.

Using the frameworks and guidance provided will help ensure:

  • that the level of protection and assurance required is appropriate to each site or service
  • resources are applied efficiently.

Detailed advice

Protective Security Requirements (PSR)

Information Security Professional Services catalogue

Security Professional Services catalogue can be found on Marketplace and includes:

  • Information security risk management and assessment
  • Information security governance and strategy
  • Information security assurance
  • Source code, application review and technical testing
  • ICT security incident response, investigation and forensic

Information Security Professional Services catalogue — Pae Hokohoko | Marketplace 

Guidance for lower risk services

Apply the NZ Government guidance when doing a risk assessment of public websites with information that is unclassified and in confidence.

Security and privacy for websites


CERT NZ provides you with up-to-date, actionable advice on current threats and vulnerabilities, as well as guidance on mitigation and cyber security best practice.


Tools and templates

Information security risk assessment process

A generic security risk assessment process has been developed. Adherence to this document is not mandatory. However, you are required to have a robust risk assessment process and this document may help. Agencies are free to use their own established risk assessment processes instead if preferred.

This is a template, designed to be completed and submitted offline. For an accessible version contact

Related advice

Risk management

Utility links and page information

Last updated