New Zealand Information Security Manual (NZISM)
Government asks specific questions. They want specific answers
Usually comes up when a government customer, agency, or prime contractor stops asking general questions and wants proof you can handle their information the way public-sector buyers expect.
This page helps when
- An agency or prime contractor wants evidence you can handle their information properly
- You need to scope which NZISM expectations actually apply instead of treating the whole manual as one checklist
- Government revenue is in play and security questions are getting more specific
Best next move
Start with Assurance.
Use the scorecard for a fast benchmark, then move into a working session when this requirement is already affecting customers, insurers, procurement, or internal accountability.
Current Position
Minimum Cyber Security Standards published on 30 October 2025
The NCSC published the Minimum Cyber Security Standards on 30 October 2025. They are intended for GCISO-mandated agencies, and non-mandated agencies can adopt them voluntarily. Suppliers should expect agencies to reference them where relevant, but the exact obligations still depend on contract scope and the information handled.
Where This Starts To Hurt
The buyer moment that makes this rule urgent
The moment usually arrives when MBIE procurement, a DIA clearance review, or an AoG prime contractor asks for the NZISM-aligned supplier assurance baseline
NZISM becomes real when government work starts getting serious. An agency, prime contractor, or procurement team wants more than a general assurance statement. They want to know how information will be handled, what evidence exists, and whether the supplier understands public-sector expectations before the contract gets any further.
Most businesses do not need the whole manual. They need to know which parts actually apply to their contract, systems, and information handling. That distinction matters because NZISM is large and prescriptive, and the right scope depends on what you do for government, what data you touch, and how critical the service is.
For private-sector organisations, the real job is turning NZISM from a government reference into a proportionate working plan. Done well, that lets you answer agency questions with confidence, avoid over-engineering, and build evidence that also supports broader assurance work.
What Starts Breaking
What stalls: deals, audits, or insurer renewals
NZISM matters because it can decide whether procurement, onboarding, and assurance reviews move forward when government work is on the table. Agencies and prime contractors use it as shorthand for serious security expectations, which means suppliers need a credible answer long before any formal audit appears.
It is also one of the most locally relevant security references available to New Zealand organisations. It reflects New Zealand agency practice, classifications, and assurance expectations in a way international standards do not, so it is often the clearest way to talk about public-sector trust requirements.
Businesses usually struggle with NZISM for one of two reasons: they ignore it until an agency asks for evidence, or they assume every control applies equally. A scoped, evidence-led approach avoids both mistakes and turns NZISM into a commercial enabler instead of a confusing blocker.
What You Will Need To Prove
The first controls, owners, and evidence to put in place
System certification and accreditation, information classification, and the control set for the relevant classification carry the most commercial weight on a panel review
See the main requirements
Information Security Governance
Organisations must establish clear governance structures for information security, including defined roles and responsibilities, management commitment, policy frameworks, and reporting lines. The security operating model must be documented, resourced, and subject to regular review.
Personnel Security
Controls must be in place to manage the security risks associated with personnel throughout their employment lifecycle — from pre-employment vetting and security clearance processes through to ongoing security awareness, change of role, and separation procedures.
Physical Security
Information processing facilities and the environments in which sensitive information is handled must be protected by physical security controls including perimeter security, access control systems, visitor management, and environmental protections appropriate to the classification of information handled.
Information Management
Information must be classified, marked, handled, stored, transferred, and disposed of in accordance with its protective marking and sensitivity. This includes managing information throughout its lifecycle and that classification decisions are documented and communicated.
System Security and Hardening
Information systems must be configured securely, with hardening baselines applied, unnecessary services disabled, and security patches applied in a timely manner. Systems processing classified or sensitive information must meet specific technical requirements defined in the NZISM.
Communications Security
Controls must protect information during transmission across networks, including the use of approved cryptographic mechanisms, network segmentation, gateway security, and monitoring. Requirements vary based on the classification of information being transmitted.
Access Control and Authentication
Access to information and systems must be controlled based on the principle of least privilege. Strong authentication mechanisms must be used, privileged access must be tightly managed, and access rights must be reviewed regularly to confirm they remain appropriate.
System Certification and Accreditation
Government systems must undergo a formal certification and accreditation process to assess their security position before being approved to process information at a given classification level. This includes security risk assessments, penetration testing, and documented approval decisions.
How We Help You Answer It
When the business usually calls us
We usually get called when a C and A refresh is 60 days out or a DIA assurance request threatens a panel contract
See The Gap Before The Tender Reviewer Does
Our analyst-prepared gap assessment evaluates your current security position against the NZISM controls relevant to your organisation's classification level and scope. We identify specific gaps, prioritise improvements, and provide a practical roadmap to compliance — cutting through the manual's complexity to focus on what matters for your situation.
See what an auditor will ask for before they ask
We track your NZISM position continuously, providing a scored view of your alignment to mandatory and recommended controls. This gives you clear visibility into readiness for government assessments and helps you demonstrate current status to agencies and procurement teams.
Stop Rebuilding The Same Evidence For Every Standard
We map NZISM controls to ISO 27001, the Privacy Act, and other frameworks your organisation must address. That cross-framework mapping means every control implementation counts toward multiple compliance objectives, so the work pays off across more than one standard.
Stop Maintaining Policies Nobody Actually Reads
We develop and maintain the policy suite that underpins NZISM compliance — including information security policies, acceptable use policies, classification and handling procedures, and incident management plans — keeping them aligned with NZISM requirements and current as the manual is updated.
Stop Guessing When A Buyer Asks How Secure You Are
Our full security baseline assessment provides the starting point for NZISM alignment, evaluating your current controls across all relevant domains and producing a clear gap view that maps directly to NZISM chapter requirements.
Stop rewriting the same questionnaire for every deal
Government agencies and prime contractors frequently issue detailed security questionnaires referencing NZISM. Our reviewed response library maintains your answers to common NZISM-aligned questions, so you can answer quickly and consistently and show your compliance status.
If You Need The Detail
Related reading for the implementation detail
Related reading on running NZISM alongside ISO 27001 without duplicating evidence and on the NCSC Minimum Cyber Security Standards behind panel expectations
Insight
IPP 3A starts May 2026. You need a process
IPP 3A changes the rules for referrals, background checks, partner handoffs, and any other indirect collection. What NZ businesses need to fix before 1 May 2026.
Read article
Insight
Government contracts stuck on NZISM questions
Government agencies are pushing NZISM requirements down to suppliers. How to scope what actually applies, avoid the six-figure panic, and get ready for the procurement conversation.
Read article
Questions Before A Decision
The questions that come up before the contract
Does NZISM apply to my business? +
The NZISM is mandatory for New Zealand government agencies. If your organisation is a private sector business, NZISM applies to you when government agencies require it through procurement contracts, supplier security requirements, or information sharing agreements. If you handle government information, provide services to government agencies, or are part of a government supply chain, you should expect NZISM-referenced requirements to appear in your contractual obligations.
What's the difference between NZISM and ISO 27001? +
ISO 27001 is an international standard focused on establishing an information security management system, while the NZISM is a prescriptive New Zealand Government security manual with detailed technical controls. ISO 27001 tells you what outcomes to achieve; the NZISM tells you specifically how to achieve them in a New Zealand Government context. There is substantial overlap — roughly 70-80% of controls are conceptually aligned — and Good Security maps between the two frameworks so that compliance effort counts toward both.
What are the NCSC Minimum Cyber Security Standards? +
The NCSC published the Minimum Cyber Security Standards on 30 October 2025. They are intended for GCISO-mandated agencies, and non-mandated agencies can adopt them voluntarily. In practice, they make the baseline clearer for agencies and create a stronger reference point in supplier conversations, but they do not mean every private-sector supplier automatically has to meet every NZISM control.
Do government suppliers need full NZISM compliance? +
Not necessarily full compliance with every NZISM control — the applicable scope depends on the nature of the services you provide and the classification of information you handle. A supplier hosting a government system will face more extensive requirements than one providing advisory services. However, government agencies increasingly expect suppliers to demonstrate alignment with NZISM controls relevant to their engagement scope. Good Security helps you determine exactly which controls apply to your situation and build a proportionate working plan instead of treating the whole manual as one giant checklist.
How does NZISM relate to the Protective Security Requirements (PSR)? +
The Protective Security Requirements (PSR) is the New Zealand Government's overarching protective security framework, covering governance, personnel security, physical security, and information security. The NZISM is the detailed information security component that supports the PSR's information security requirements. Think of the PSR as the umbrella framework and the NZISM as the technical manual that implements the information security pillar. Compliance with NZISM controls directly supports your obligations under the PSR.
Need a clearer answer on New Zealand Information Security Manual (NZISM)?
A working session scopes the NZISM control baseline, the C and A roadmap, and the supplier-assurance response the next DIA review expects