The New Zealand Information Security Manual (NZISM)
The New Zealand Information Security Manual (NZISM) provides up-to-date technical policy to assist government departments and agencies in securing information systems and the data stored in those systems
It recognises the changing technologies and threat environment in which government departments and agencies operate and should be considered as a best practice guide, even where an agency may not access or process classified information. In cases where official or classified information is processed, this guidance should be considered as the baseline information security standard.
You may download a copy of the NZISM here. [PDF 1.32MB]
No printed or CD copies are provided.
The publication of the NZISM supersedes the New Zealand Security of Information Technology (NZSIT) 400, 401 and 402 technical policy and guidance last published in 2008. These NZSIT documents should therefore be withdrawn from use.
We welcome commentary on completeness, ease of use and identification of any error or ambiguity in the NZISM. To assist us in improving subsequent versions of the NZISM any commentary or queries should be submitted to email@example.com.
Click on a question in the menu below to see answers and examples.
How does the NZISM apply to UNCLASSIFIED or IN-CONFIDENCE systems and information?
The NZISM states: "This manual does not specifically deal with UNCLASSIFIED or IN-CONFIDENCE information. In determining security measures agencies should however, conform with the guidance in this manual. Information classified SENSITIVE should be treated as RESTRICTED for the purposes of determining information security and information handling." (Chapter 1, CONTEXT, Scope).
The Controls element of each section specifies the applicability to relevant classifications for example, "System Classification(s): R, C, S, TS; Compliance: should". If the controls specified in the subsequent text the controls apply to RESTRICTED information they will also be relevant to UNCLASSIFIED and IN-CONFIDENCE systems. The exception is where a control applies only to CONFIDENTIAL, SECRET or TOP SECRET classifications, in which case the control is specific to the stated classifications.
Applicability for all classifications will be specified in the next version of the NZISM.
"Contents of IRPs System Classification(s): R, C, S, TS; Compliance: must Agencies must include, as a minimum, the following content within their IRP:" (4.6 Incident Response Plans, page 42).
This applies to all classification levels, including UNCLASSIFIED and IN-CONFIDENCE.
"Recording seal usage System Classification(s): TS; Compliance: must Agencies must record the usage of seals in a register that is appropriately secured" (8.5 Tamper Evident Seals, page 82).
This control applies ONLY to TOP SECRET systems.
In the section on Approved Cryptographic Algorithms (Section 16.2) it talks about legacy systems. How do you define legacy systems?
In terms of Approved Cryptographic Algorithms, a legacy system is any existing application that employs encryption. Where a legacy system that does not employ encryption is reconfigured to use encryption, the system ceases to be a legacy system for the purposes of selecting encryption algorithms. Similarly any legacy system that has a version change or update/upgrade (hardware, software or firmware) ceases to be a legacy system for the purposes of selecting encryption algorithms.
Who is responsible for the agency’s use of the NZISM?
The Chief Executive, Agency Head, Director General or similar title is responsible for information security within their own agency or organisation. The day-to-day activities are usually delegated to the CISO, ITSM and DSO (described in Section 3 – Cyber Security Governance).
Who “owns” the various documents comprising national policy?
The References section of Section 1 - About Cyber Security provides a table of relevant documentation and the issuing authority or document “owner”.
Why has the list of risks shown in previous versions of the Australian ISM been removed?
Essentially the list of risks became a publication in its own right and was unable to identify all risks for all organisations or agencies on an ongoing basis. The key elements of risk identification are:
- Each organisation has the responsibility for the management of risk within their own organisation or agency;
- There is no complete list of risks;
- Risk is time-bound and some risks will change over time;
- Risk interpretation will be tied to an organisation’s culture, structure, operations etc.;
- Risk mitigation may be resource-dependant (noting that the NZISM provides base-line controls and counter-measures for known risks and threats).
The information in and selection of controls by described in the NZISM should be considered as the minimum level or baseline controls, based on the GSCB’s assessment of risk in each area. While agencies may assess risk in an individual area as a “low” risk, applying controls that fall below the NZISM minimum standards will inevitably raise residual risk levels above acceptable levels (because controls are inadequate or insufficient).