Compliance
New Zealand Information Security Manual (NZISM)
The New Zealand Government's information security manual, commonly referenced by agencies and suppliers that need to show alignment with government security expectations.
Current Position
Minimum Cyber Security Standards published on 30 October 2025
The NCSC published the Minimum Cyber Security Standards on 30 October 2025. They are intended for GCISO-mandated agencies, and non-mandated agencies can adopt them voluntarily. Suppliers should expect agencies to reference them where relevant, but the exact obligations still depend on contract scope and the information handled.
What is really being asked of the business
What this requirement is trying to protect in the real world
A good compliance programme starts by understanding the business purpose behind the requirement rather than treating it like a checklist.
The New Zealand Information Security Manual (NZISM) is the New Zealand Government's detailed reference for information security. Maintained by the Government Communications Security Bureau (GCSB) through its National Cyber Security Centre (NCSC), the NZISM provides detailed controls and guidance covering governance, personnel security, cloud, cryptography, physical protection, and technical operations. It is a core reference point for government assurance work and is frequently used when agencies define the security expectations they place on suppliers.
The NZISM is a large, prescriptive document organised across multiple chapters. Controls are classified as mandatory (must comply), should (expected to comply unless risk-justified), and could (recommended good practice). The manual is updated over time to reflect changes in the threat landscape and government expectations. On 30 October 2025, the NCSC published its Minimum Cyber Security Standards. Those standards are intended for GCISO-mandated agencies, with non-mandated agencies welcome to adopt them. That means the standards already exist, but they do not create one identical checklist for every supplier in every circumstance.
While the NZISM is designed primarily for government, its controls map well to international standards including ISO/IEC 27001. Organisations that invest in NZISM compliance often find they are well-positioned to pursue ISO 27001 certification or meet other framework requirements with minimal additional effort. For private sector organisations that work with — or aspire to work with — New Zealand government agencies, understanding and aligning to the NZISM is both a compliance necessity and a pathway to a stronger security position.
Why It Matters
Why business owners, customers, and boards pay attention to it.
If your organisation does work with New Zealand government agencies — or wants to — the NZISM is difficult to ignore. Agencies regularly reference NZISM or PSR-aligned expectations in procurement, onboarding, and assurance reviews. Those requirements can flow into supply chains, but the exact controls that matter depend on the contract, the services you provide, and the information you handle. The published Minimum Cyber Security Standards make agency expectations more concrete without automatically imposing one universal supplier checklist.
Beyond government supply chain access, aligning to the NZISM delivers practical security benefits for any New Zealand organisation. The manual is thorough, well-structured, and tailored to the New Zealand context in a way that international standards are not. It addresses New Zealand-specific considerations including the protective marking system, New Zealand Government security classifications, and the roles of agencies like CERT NZ and the NCSC. For organisations building a security programme from scratch, the NZISM provides a thorough and locally relevant framework to work from.
The overlap between NZISM and ISO 27001 is substantial, and Good Security helps clients use this alignment. An organisation that implements controls to meet NZISM requirements will have completed significant groundwork toward ISO 27001 certification, and vice versa. Our cross-framework control mapping means every control you implement is credited against every applicable framework, maximising the return on your compliance investment and avoiding the common trap of duplicate effort across parallel compliance programmes.
Key Requirements
The obligations most businesses need translated into operating reality.
This is where the framework turns into documented controls, ownership, evidence, and review cycles.
See key requirements
Information Security Governance
Organisations must establish clear governance structures for information security, including defined roles and responsibilities, management commitment, policy frameworks, and reporting lines. An information security programme must be documented, resourced, and subject to regular review.
Personnel Security
Controls must be in place to manage the security risks associated with personnel throughout their employment lifecycle — from pre-employment vetting and security clearance processes through to ongoing security awareness, change of role, and separation procedures.
Physical Security
Information processing facilities and the environments in which sensitive information is handled must be protected by physical security controls including perimeter security, access control systems, visitor management, and environmental protections appropriate to the classification of information handled.
Information Management
Information must be classified, marked, handled, stored, transferred, and disposed of in accordance with its protective marking and sensitivity. This includes managing information throughout its lifecycle and and that classification decisions are documented and communicated.
System Security and Hardening
Information systems must be configured securely, with hardening baselines applied, unnecessary services disabled, and security patches applied in a timely manner. Systems processing classified or sensitive information must meet specific technical requirements defined in the NZISM.
Communications Security
Controls must protect information during transmission across networks, including the use of approved cryptographic mechanisms, network segmentation, gateway security, and monitoring. Requirements vary based on the classification of information being transmitted.
Access Control and Authentication
Access to information and systems must be controlled based on the principle of least privilege. Strong authentication mechanisms must be used, privileged access must be tightly managed, and access rights must be reviewed regularly to confirm they remain appropriate.
System Certification and Accreditation
Government systems must undergo a formal certification and accreditation process to assess their security position before being approved to process information at a given classification level. This includes security risk assessments, penetration testing, and documented approval decisions.
How Good Security Helps
Where businesses usually need practical support.
This is about building the policies, registers, evidence, and governance needed to stand up to scrutiny.
Government Standards Gap Assessment
Our analyst-prepared gap assessment evaluates your current security position against the NZISM controls relevant to your organisation's classification level and scope. We identify specific gaps, prioritise improvements, and provide a practical roadmap to compliance — cutting through the manual's complexity to focus on what matters for your situation.
Audit Readiness Score & Evidence Compiler
We track your NZISM compliance status continuously, providing a scored view of your alignment to mandatory and recommended controls. This gives you clear visibility into readiness for government assessments and helps you demonstrate compliance status to agencies and procurement teams.
Multi-Standard Compliance Mapping
Our deep analysis maps NZISM controls to ISO 27001, the Privacy Act, and other frameworks your organisation must address. This cross-framework mapping means every control implementation counts toward multiple compliance objectives, eliminating wasted effort and maximising your security investment.
Policy Suite & Lifecycle Management
We develop and maintain the policy suite that underpins NZISM compliance — including information security policies, acceptable use policies, classification and handling procedures, and incident management plans — keeping them aligned with NZISM requirements and current as the manual is updated.
Security Baseline Assessment
Our full security baseline assessment provides the starting point for NZISM alignment, evaluating your current controls across all relevant domains and producing a maturity scorecard that maps directly to NZISM chapter requirements.
Security Questionnaire Response Engine
Government agencies and prime contractors frequently issue detailed security questionnaires referencing NZISM. Our expert-reviewed response engine maintains your answers to common NZISM-aligned questions, enabling rapid, consistent, and accurate responses that demonstrate your compliance status.
Further Reading
Related guidance for teams that need the detail.
These articles go deeper into the surrounding decisions, timelines, and implementation issues.
FAQ
Common commercial questions.
Does NZISM apply to my business? +
The NZISM is mandatory for New Zealand government agencies. If your organisation is a private sector business, NZISM applies to you when government agencies require it through procurement contracts, supplier security requirements, or information sharing agreements. If you handle government information, provide services to government agencies, or are part of a government supply chain, you should expect NZISM-referenced requirements to appear in your contractual obligations.
What's the difference between NZISM and ISO 27001? +
ISO 27001 is an international standard focused on establishing an information security management system, while the NZISM is a prescriptive New Zealand Government security manual with detailed technical controls. ISO 27001 tells you what outcomes to achieve; the NZISM tells you specifically how to achieve them in a New Zealand Government context. There is substantial overlap — roughly 70-80% of controls are conceptually aligned — and Good Security maps between the two frameworks so that compliance effort counts toward both.
What are the NCSC Minimum Cyber Security Standards? +
The NCSC published the Minimum Cyber Security Standards on 30 October 2025. They are intended for GCISO-mandated agencies, and non-mandated agencies can adopt them voluntarily. In practice, they make the baseline clearer for agencies and create a stronger reference point in supplier conversations, but they do not mean every private-sector supplier automatically has to meet every NZISM control.
Do government suppliers need full NZISM compliance? +
Not necessarily full compliance with every NZISM control — the applicable scope depends on the nature of the services you provide and the classification of information you handle. A supplier hosting a government system will face more extensive requirements than one providing advisory services. However, government agencies increasingly expect suppliers to demonstrate alignment with NZISM controls relevant to their engagement scope. Good Security helps you determine exactly which controls apply to your situation and build a proportionate compliance programme.
How does NZISM relate to the Protective Security Requirements (PSR)? +
The Protective Security Requirements (PSR) is the New Zealand Government's overarching protective security framework, covering governance, personnel security, physical security, and information security. The NZISM is the detailed information security component that supports the PSR's information security requirements. Think of the PSR as the umbrella framework and the NZISM as the technical manual that implements the information security pillar. Compliance with NZISM controls directly supports your obligations under the PSR.
Most businesses managing New Zealand Information Security Manual (NZISM) obligations start with Assurance.
If you are weighing up fit, scope, or urgency, start with the scorecard for a fast benchmark and book a consultation when you need a practical next-step plan.