New Zealand NZISM 3.6 — New Zealand Information Security Manual

Why it Matters

NZISM provides a structured approach to safeguarding information and managing security risks across New Zealand government digital systems.

Key benefits include:

• Strengthen information security governance

Support consistent accountability and oversight for information security practices within governmental and contractor environments.

• Enhance national compliance alignment

Ensure information security polices comply with New Zealand government standards and relevant national regulatory requirements.

• Improve risk management effectiveness

Enable organizations to systematically identify, assess, and mitigate cybersecurity risks associated with sensitive government data.

• Support incident detection and response

Strengthen preparedness for security incidents through clearly defined processes for identifying and responding to security events.

• Protect sensitive government information

Safeguard public sector data confidentiality, integrity, and availability from evolving cyber threats and unauthorized access.

How it Works

The New Zealand Information Security Manual (NZISM) structures its guidance through detailed control catalogs organized into security domains such as governance, personnel security, physical security, and information and communications technology (ICT) security. Each domain comprises specific security controls, regulatory requirements, and risk management processes tailored for New Zealand government agencies and entities handling official information. NZISM also references maturity models and lifecycle processes to help agencies assess and enhance their information security posture over time.

Organizations incorporate NZISM requirements by implementing prescribed security controls, routinely conducting risk assessments, and mapping these controls to their existing security governance frameworks. They regularly monitor compliance, address gaps through remediation activities, and assess their cyber resilience in business operations. NZISM supports regulatory compliance by guiding organizations in developing security policies, managing vulnerabilities, responding to incidents, and continuously improving their security practices.

Through SmartSuite, organizations can operationalize NZISM by leveraging integrated control libraries aligned to NZISM domains, maintaining comprehensive risk registers, and managing policy governance. The platform enables evidence collection, compliance tracking, and oversight through audit readiness modules and remediation workflows. Reporting dashboards facilitate ongoing monitoring of security and compliance status, supporting transparent governance and efficient regulatory management.

Key Elements

• Security Control Families

Groups mandatory information security controls into thematic areas such as access management, cryptography, and network security.

• Governance and Accountability Structure

Establishes organizational responsibilities, reporting lines, and oversight mechanisms for managing information security.

• Risk Assessment and Treatment Processes

Describes systematic evaluation of information security risks and determination of risk treatment options.

• Incident Response Framework

Outlines coordination, reporting, and handling processes for cybersecurity incidents affecting government information systems.

• Compliance and Monitoring Requirements

Specifies expectations for ongoing compliance checks, independent reviews, and security control effectiveness measurement.

• Information Classification and Handling

Defines procedures for categorizing, marking, and protecting sensitive government data throughout its lifecycle.

Framework Scope

New Zealand Information Security Manual (NZISM) 3.6 is commonly used by government agencies, contractors, and entities handling sensitive public sector information. The framework governs digital information systems, communications networks, and data environments, typically implemented for regulatory compliance, risk management initiatives, and supporting assurance programs across public sector operations.

Framework Objectives

NZISM 3.6 defines comprehensive objectives to safeguard government information and support robust cybersecurity and governance practices.

Strengthen cybersecurity risk management across government and critical information systems

Enhance governance and oversight of security controls and data protection measures

Support regulatory compliance with New Zealand government security requirements

Promote improved operational resilience to mitigate and respond to cyber threats

Ensure consistent data protection for sensitive and classified government information

Demonstrate audit readiness and effective security posture through documented controls

Framework in Context

NZISM 3.6 provides New Zealand government cybersecurity guidance and maps to international standards such as ASD ISM, NIST SP 800-53, and ISO/IEC 27001. Organizations use NZISM for meeting public-sector regulatory requirements, supplier assurance, and strengthening security governance and operational controls, often aligning with these frameworks for audits.

Common Framework Mappings

Organizations map NZISM to internationally recognized security and privacy frameworks to harmonize controls, simplify audits, facilitate regulatory compliance, and enable cross-jurisdictional assurance and supplier risk management.

Mapped frameworks include:

Australian Information Security Manual (ASD ISM)

CIS Critical Security Controls

ISO/IEC 27001

ISO/IEC 27002

ISO/IEC 27017

ISO/IEC 27701

NIST Cybersecurity Framework

NIST Special Publication 800-53