Skip to main content


Questions 60 to 63 — check your requirements for encryption — the why, how, who, where and when of the information you need to encrypt.

Questions 60 to 63 — Encryption

Table 1 lists who is responsible for answering each question. There are multiple questions that both your government organisation and the service provider need to answer.

Context and help for questions 60 to 63

Record your answers to these questions in either:

Questions to answer

  1. Have requirements for the encryption of the information that will be placed in the public cloud service been determined?
  2. Does the public cloud service use only approved encryption protocols and algorithms, as defined in the New Zealand Information Security Manual (NZISM)?
  3. Which party is responsible for managing the cryptographic keys — the government organisation or service provider?
  4. Does the party responsible for managing the cryptographic keys have a key management plan that meets the requirements defined in the NZISM?

Table 1: Who answers each question

Entity Questions to answer
Government organisation 60, 61, 62, 63
Service provider 61, 62, 63

Where to find the service provider’s answers

You can get the answers to the service provider’s questions from a combination of:

  • direct communication with the provider
  • the provider’s policies and audit reports on their website
  • previous assessments by other government organisations.

If you do not have the service provider’s answers

If you need higher assurance for the information, consider a different public cloud service if:

  • the provider does not give you their answers or other information you need for your risk assessment
  • you cannot get acceptable third-party assurance
  • there are no ways to lessen the risk of this incomplete information.

Independent assurance reports — NZISM

Context and help for questions 60 to 63

The following guidance gives you context and help for answering questions about encryption.

Direct contracts — check for information you can use

Another NZ government organisation may have previously assessed the public cloud service you’re looking to use. See which organisation to contact for information by:

NZ government agreements and contracts — check for certification documents you can use

You can use certification documents to help with your risk assessment of using either:

  • an all-of-government agreement
  • a Marketplace contract.

To get these, contact the security team at the Department of Internal Affairs at

Limits of encryption for confidentiality

Encryption is often presented as the solution for addressing risks to confidentiality in public cloud services. However, there are important limits to encryptions that government organisations need to consider by determining their encryption requirements.

Requirements for encryption

Government organisations must work out their specific requirements for protecting information using encryption. Think about the following points.

What information needs to be encrypted

For the information you’re holding in a public cloud service, see if you need to encrypt:

  • all information
  • only certain data types
  • just specific database rows, columns or entities.

Why the information needs to be encrypted

You might need to encrypt information to meet the requirements of a policy or standard. Make sure you know which policies or standards apply to your information and organisation.

Government organisations must, for example, meet their obligations under the:

How the information should be encrypted

See which protocols, algorithms and key lengths you should use to encrypt your information.

Cryptography — NZISM

The interception of data in transit is an inherent risk whenever information goes through a network — especially when it’s not owned or managed by the government organisation, such as the internet or a service provider’s network.

Government organisations must ensure that the public cloud service encrypts all sensitive data, including authentication credentials, in transit. Use only the encryption protocols, algorithms and key lengths approved in the NZISM.

Who encrypts the information and manages the keys

This will either be your organisation or the service provider.

If a public cloud service is capable of storing data in an encrypted format, government organisations must know if it’s them or the service provider who is responsible for managing the encryption keys — also called cryptographic keys. The NZISM details the practices required to effectively manage cryptographic keys.

Key management — NZISM

If the service provider has access to or manages the cryptographic keys, they will be able to decrypt and access the information you’re holding in the public cloud service. This affects data sovereignty if encryption is used to treat risks related to information being stored outside New Zealand.

Sovereignty over the information

The party that manages the cryptographic keys must have an effective key management plan. This protects the encryption keys from being compromised, which might otherwise lead to the:

  • unauthorised disclosure of information
  • government organisation no longer being able to access its information
  • government organisation not meeting its obligations to certain NZ legislation.

Where the information should be encrypted and decrypted

Work out if the encryption and decryption should be done within:

  • your organisation
  • the client devices
  • the service provider.

When the information needs to be encrypted and decrypted

See if the encryption and decryption need to happen:

  • in transit
  • by the application — for example, message encryption
  • at rest.

While encryption is an effective control for protecting the confidentiality of data at rest, there are limits when the data needs to be processed by a business rule.

Data needs to be unencrypted for business rules in an information system to process it. This may make it impractical or impossible to encrypt data stored within a public cloud service that processes information — instead of just storing it.

Utility links and page information

Was this page helpful?
Thanks, do you want to tell us more?

Do not enter personal information. All fields are optional.

Last updated