Home
arrow_forward_ios
Frameworks
arrow_forward_ios
NZISM v3.6
Cybersecurity
DETAIL

New Zealand NZISM 3.6 — New Zealand Information Security Manual

SmartSuite provides the system for managing controls, evidence, mappings, assessments, and reporting.
Framework text may require a separate license unless explicitly provided.

Overview

New Zealand Information Security Manual (NZISM) 3.6 is a national cybersecurity framework that provides security controls and guidance to help New Zealand government agencies protect their information and systems.

Why it Matters

NZISM 3.6 establishes a comprehensive baseline for information security in New Zealand government agencies. Key benefits include:

  • Strengthen cybersecurity governance

Establish consistent security policies and accountability structures across government agencies and their service providers.

  • Enhance regulatory compliance

Support alignment with New Zealand government security requirements and international standards, facilitating audits and reviews.

  • Improve risk management

Provide a risk-based control framework enabling agencies to prioritize and address security threats effectively.

  • Increase audit readiness

Maintain structured documentation and evidence of control implementation to demonstrate compliance during assessments.

How it Works

NZISM 3.6 is organized around security control families addressing governance, risk management, physical security, access control, network security, and incident management, with controls mapped to classification levels.

Key Elements

  • Security Control Families

Organizes technical and administrative controls into domains for systematic implementation across government environments.

  • Classification-Based Requirements

Maps security controls to information classification levels from unclassified through to highly restricted.

  • Risk Management Framework

Provides guidance for conducting risk assessments and selecting appropriate controls based on risk exposure.

  • Compliance Assessment Processes

Defines requirements for ongoing monitoring, audit, and assurance of security control effectiveness.

Framework Scope

NZISM 3.6 is implemented by New Zealand government agencies and their service providers handling government information and systems.

Framework Objectives

NZISM 3.6 establishes security requirements to protect New Zealand government information and enable safe digital operations.

  • Protect government information through robust security controls and risk management
  • Strengthen cybersecurity governance and oversight across public sector agencies
  • Support compliance with government security policies and international standards
  • Enable audit readiness through structured control implementation and documentation
At a Glance
NZISM v3.6
  • checklist
    Classicifation
    Category
    info
    Cybersecurity
    Domain
    info
    Cybersecurity
    Framework Family
    info
    Other
  • info
    Regulatory Context
    Type
    info
    Framework
    Legal Instrument
    info
    Standard
    Sector
    info
    Government Sector
    Industry
    info
    Government & Public Sector
  • arrow_upload_ready
    Region / Publisher
    Region
    info
    Australia & New Zealand
    Region Detail
    info
    New Zealand
    Publisher
    info
    National Cyber Security Centre (NCSC)
  • published_with_changes
    Versioning
    Version
    info
    NZISM Version 3.6
    Effective Date
    info
    2023
    Issue Date
    info
    2023
  • graph_3
    Adoption
    Adoption Model
    info
    Regulatory Compliance
    Implementation Complexity
    info
    High
  • captive_portal
    Official Reference
    Source
    info
    Open Link in New Tab
License Information

License included / downloadable: Yes

The NZISM is publicly available through the New Zealand National Cyber Security Centre.

Official Resources
New Zealand Information Security Manual (NZISM) 3.6
Defines comprehensive guidelines for cybersecurity controls within New Zealand's government agencies.
chevron_forward
NZISM Implementation Guidance
Provides detailed implementation insights for integrating NZISM controls into organizational policies.
chevron_forward
NZISM Risk Management Framework
Outlines risk management practices aligned with NZISM for effective information assurance.
chevron_forward
NZISM Compliance and Security Requirements
Describes compliance requirements to meet NZISM security standards in public sector organizations.
chevron_forward
SMARTSUITE

How SmartSuite Supports NZISM 3.6

Manage New Zealand Information Security Manual (NZISM 3.6) requirements by organizing government security controls, tracking system compliance, and maintaining evidence supporting protection of sensitive information systems.

Government Security Control Framework

Structure NZISM controls with ownership, scope, and implementation tracking across systems.

System Classification and Security Baselines

Classify systems and apply appropriate baseline security controls based on sensitivity.

Authentication and Access Governance

Manage authentication, authorization, and user access aligned to NZISM requirements.

Network Security and System Hardening

Track secure configurations, network protections, and system hardening practices.

System Activity Monitoring and Incident Response

Monitor system activity and manage incident response workflows and escalation processes.

NZISM Compliance and Government Reporting

Provide dashboards showing control coverage, system compliance status, and NZISM readiness.

Related frameworks

ASD ISM

The Australia Information Security Manual provides mandated cybersecurity controls and guidance to protect Australian government systems and data.

Learn More
arrow_forward
CIS Controls v8.1

CIS Controls v8.1 provides prioritized, practical security actions to help organizations mitigate common cyber threats and strengthen defenses.

Learn More
arrow_forward
ISO 27001:2022

ISO/IEC 27001:2022 is an international ISMS standard that helps organizations manage information security risks and protect data.

Learn More
arrow_forward
ISO 27002:2022

ISO/IEC 27002:2022 provides best-practice information security controls to help organizations select, implement, and manage protections for information assets.

Learn More
arrow_forward
ISO 27017

ISO/IEC 27017 provides cloud-specific security controls to help organizations protect data and manage cloud-related risks.

Learn More
arrow_forward
ISO 27701

ISO/IEC 27701 extends ISO/IEC 27001 to help organizations manage privacy and protect personally identifiable information.

Learn More
arrow_forward
NIST CSF 2.0

NIST Cybersecurity Framework (CSF) v2.0 is a risk-based framework that helps organizations manage and reduce cybersecurity risks.

Learn More
arrow_forward
NIST 800-53 Rev.5

NIST SP 800-53 Rev. 5 provides a catalog of security and privacy controls to manage risks to information systems.

Learn More
arrow_forward
ONBOARDING FAQS

Frequently Asked Questions For New Zealand NZISM 3.6 (New Zealand Information Security Manual)

What is NZISM used for?

NZISM is used to provide comprehensive information security requirements and guidance for New Zealand government agencies and related organizations. It sets standards for managing security risks, implementing cybersecurity controls, and safeguarding sensitive government data across digital systems.

Is NZISM compliance mandatory for organizations?

NZISM compliance is mandatory for New Zealand government agencies and organizations handling sensitive government information. Compliance is enforced through government policy and oversight by the Government Communications Security Bureau (GCSB).

Who must comply with NZISM and what does its scope cover?

NZISM applies to all New Zealand government departments, agencies, and any contractors or third parties managing official or classified government information. Its scope includes the protection of information, systems, infrastructure, and supporting services that process or store government data.

What are the key security controls required by NZISM?

NZISM specifies security controls such as access management, network security, data protection, incident response, secure configuration, and monitoring. Organizations are required to assess and implement controls appropriate to the classification and sensitivity of their information assets.

How should organizations implement NZISM requirements?

Organizations should integrate NZISM requirements into their risk management processes, security policies, and operational procedures. This typically involves conducting risk assessments, performing security control gap analyses, and regularly reviewing operational practices for alignment with NZISM controls.

How does NZISM relate to other cybersecurity frameworks?

NZISM aligns with international standards such as ISO 27001 and NIST, providing a national context tailored for New Zealand government needs. It often references or complements controls from these frameworks, allowing organizations to leverage existing best practices when achieving NZISM compliance.

What are the ongoing compliance and audit requirements for NZISM?

Ongoing compliance with NZISM requires continuous risk assessments, regular reviews of security controls, incident reporting, and maintaining records of compliance activities. Agencies are subject to periodic internal and external audits to validate adherence to NZISM standards.

How would SmartSuite support NZISM 3.6?

SmartSuite can help organizations operationalize NZISM by centralizing management of cybersecurity policies, tracking risk assessments, and documenting control implementation. It enables efficient collection of compliance evidence, facilitates audit readiness through automated reporting, and helps security teams monitor and maintain NZISM requirements across the organization.

NEXT STEP

Put CRI Profile into action with SmartSuite

Map controls, collect evidence, run assessments, manage remediation, and report readiness - all from a single connected system.

Explore in SmartSuite
chevron_forward
View all Frameworks
chevron_forward