IT:AD:New Zealand Information Security Manual (NZISM)


At the very least, one can say that the NZISM is…huge.

  • It's a living document, needs to be consulted regularly, and deliverables MUST meet it's applicable sections at the time of go-live.
  • Applicability:
    • MUST: A set of baseline Controls [NZISM:1.1.5] must [NZISM:1.1.42] be applied to Information classified as: UNCLASSIFIED, INCONFIDENCE, SENSITIVE or RESTRICTED [NZISM:1.1.4], unless the control is clearly demonstrated as not relevant, and exempted by [NZISM:1.1.44], the Accreditation Authority [NZISM:1.1.43].
  • Exemptions:
    • The Accreditation Authority may accept [NZISM:1.1.45] the non-application of controls due to many circumstances (eg: impossibility of legacy systems to comply [NZISM:1.1.48], budget or other constraints [NSISM:1.1.49]).
    • In such circumstances, a request for dispensation by a systems owner [NZISM:1.1.61.C.01] should include a risk assessment which clearly identify compensating controls to reduce risks to an acceptable level [NZISM:1.1.49].
    • Agencies may not risk-manage MUST controls without putting the organisation's and potentially All-Of-Government assurances at risk [NZISM:1.1.61]
      • System owners seeking a dispensation [NZISM:1.1.61.C.01] for non-compliance with essential controls MUST complete an agency risk assessment which documents:
        • the reason(s) for not being able to comply with this manual;
        • the alternative mitigation measure(s) to be implemented;
        • The strength and applicability of the alternative mitigations;
        • an assessment of the residual security risk(s); and
        • a date by which to review the decision.

      * Cloud:

      • Review [NZISM:2.2.5.C.01] [NZISM:2.2.5.C.02] [NZISM:2.2.5.C.02]

      * Operations:

    • Agencies SHOULD review decisions to be non-compliant with any controls at least annually [NZISM:1.1.65.C.01].