Your browser currently has JavaScript turned off, which means that Govt.nz might not display properly on your device. It's easy to turn JavaScript on - find out how to enable JavaScript in your browser.

How to write a cloud plan

Cabinet requires NZ government organisations to have a cloud plan — also called a cloud adoption strategy.

Create a separate or joint document

Your organisation’s cloud plan, or ‘cloud adoption strategy’, can stand on its own or be part of an overarching strategy for information and communications technology (ICT).

It must show how your organisation plans on using public cloud services.

Cabinet minutes for public cloud services

What goes into a cloud plan

The New Zealand Information Security Manual (NZISM) explains how to put together a cloud adoption strategy.

Cloud adoption strategy — NZISM

Focus on approaches instead of solutions

Rather than focusing on specific solutions, outline the approaches you want your people to use. This allows your organisation to:

respond rapidly in a changing environment
keep up with advances in technology
support the mahi and mana of your people — they’re trying to use the tools that help them do their jobs well
work together smoothly inside your organisation and with other organisations inside and outside of government.

Zero trust approach

Zero trust means no longer trusting connections or devices based on the network in which they are located. Instead, users and devices are identified and decisions made to allow or deny access to a resource. This happens each time the user or device tries to access it.

A zero trust approach is the best way of securing access to public cloud services. It enables mobility and flexibility while also providing more security than traditional network-based approaches.

Zero trust — NZISM

Fit security controls to zero trust principles

Zero trust moves defenses from static, network-based perimeters to focus on:

users — identified every time they try to access a resource
assets — such as end-user devices, public cloud services and legacy infrastructure
resources — such as data, public cloud services and legacy applications.

Zero trust architecture — National Institute of Standards and Technology

Other types of cloud services

Cabinet requires government organisations to consider public cloud services over other types of cloud services and traditional information technology systems.

In some cases, it might make sense for your organisation to use other types of cloud services — for example, hybrid or community cloud.

Public cloud versus other types of cloud

Get input from people in different roles

Do not write a cloud plan in isolation. Reach out to people in different roles in your organisation. This way, you can make a plan for using public cloud services that takes into account different experiences and skill sets.

Offer a choice of services to your people

In your cloud plan, make sure your approach allows for a wide range of public cloud services that your people can use to do their work. This should include:

a catalogue of approved services
a balance of choice and common ground that fits your organisation’s context
ways to work together with organisations inside and outside of government.

Offer a choice of public cloud services to your people

Was this page helpful?

Yes No Partly

Thanks, do you want to tell us more?

Do not enter personal information. All fields are optional.

What did you come here to do?

How can we improve this information?

Enter your email address if you want a response

Last updated 10 October 2022