The New Zealand Information Security Manual (NZISM) is the New Zealand Government’s manual on information assurance and information systems security.
Safe, secure and functional information systems are vital for the successful operation of all government organisations. These systems underpin public confidence, support privacy and security and are fundamental to the effective, efficient and safe conduct of public and government business.
The consequences of a security lapse can be significant, regardless of where in an organisation it occurs or how severe it is. These consequences can damage an organisation’s reputation, undermine public confidence and cause significant damage to information systems. The damage can be intensified where a single system is used by multiple agencies.
A fundamental part of the NZISM is the clarification of governance requirements, role and authority of the chief and of senior executives, and further clarity on the principal assurance process – the certification and accreditation framework.
Chief Executives or heads of government departments and agencies are ultimately accountable for the management of risk and security within their organisations. Assurance on the governance, management and security of information and information systems is vital in meeting these responsibilities.
The NZISM has evolved from the New Zealand Security of Information Technology (NZSIT) policies developed in the 1990’s, redeveloped into the NZSIT 400 series in 2004 and then replaced by the NZISM in 2010. A major rewrite took place in 2014, the third major version of this manual to be published. This version of the NZISM was completely redeveloped in order to provide more clarity and to incorporate guidance on new technologies. The redevelopment process was supported by extensive consultation within government and with the vendor and practitioner communities.
In addition, more frequent updates to accommodate the rapid pace of technological change are now a feature of the NZISM.
The NZISM is a practitioner’s manual designed to meet the needs of agency information security executives as well as vendors, contractors and consultants who provide services to agencies. It includes minimum technical security standards for good system hygiene, as well as providing other technical and security guidance for government departments and agencies to support good information governance and assurance practices.
It is consistent with a wide variety of risk management, governance, assurance and technical standards, including the ISO/IEC 2700x series, as well as IETF, OASIS, NIST and other recognised standards bodies.
The NZISM, while intended primarily for the use of government departments and agencies, and their service providers, will be equally useful for Crown Entities, Local Government bodies and private sector organisations.
The December 2017 version 2.7 of the NZISM is now available and supersedes all previous versions of the manual.
Prior versions of the change register are available on request if there is a requirement to trace changes to the date of their introduction.