Classification system

How to measure the performance of the Classification System

Use the Protective Security Requirements assurance and reporting tools below to assess the maturity of your organisation’s classification capability alongside your other protective security capabilities.

The PSR assurance tools have been updated to include additional maturity indicators related to the Classification System across different capability dimensions. These tools are available to any organisation to measure their performance in the use of the Classification System.

Tool	Usage
Protective Security Capability Maturity Model (July 2022)	The model enables you to assess the maturity of your classification capability alongside your other protective security capabilities and help you to identify how you could develop them further. The model recognises that each organisation has a unique combination of security risks and areas it needs to protect and enables organisations to use a risk-based approach to managing their security risks. The model assesses capability across 12 dimensions and 4 maturity levels. The model is guided by the PSR’s mandatory requirements. While the 20 mandatory requirements are ‘baseline’ objectives, the model helps all types of organisations to set maturity targets based on their own security risk profile. One size does not fit all.
PSR Moderation Framework (July 2022)	Agencies need to provide the underlying evidence to support their self-assessment against the Capability Maturity Model. The evidence is broken down into evidence of policy and processes versus evidence of practice (such as registers, logs, or reports) showing the outcomes of the policy and processes and how they are used to improve on outcomes. The framework can be used by agencies themselves for informal self-assessment or by independent auditors for formal audit of the self-assessment (see the All of Government protective security panel for more information).
PSR Roadmap template	The PSR Roadmap template can be used to capture your organisation’s goals and improvement plans across the 20 PSR mandatory requirements.
Self-assessment report template	The report template can be used annually to report back on your organisation’s protective security capability and improvement plans to agency leaders and directors as well as to government leads. If your organisation is mandated to follow the Protective Security Requirements, this reporting is mandatory and shared with the PSR/GPSL and GCSB/GCISO.
Classification System changes to CMM & Moderation Framework (July 2022)	This document provides the changes specifically related to measuring the performance of the Classification System. Use this guidance to understand what additional capabilities and evidence you will need to demonstrate good practice in the Classification System.

Classification capability is measured under Mandatory Requirement INFOSEC2

The Classification System is part of the Protective Security Requirements Mandatory Requirement INFOSEC2:

INFOSEC2 - Design your information security

Consider information security early in the process of planning, selection, and design. Design security measures that address the risks your organisation faces and are consistent with your risk appetite. Your security measures must be in line with:

the New Zealand Government Security Classification System
the New Zealand Information Security Manual
any privacy, legal, and regulatory obligations that you operate under.

Adopt an appropriate information security management framework that is appropriate to your risks.

When undertaking your self-assessment against this mandatory requirement in the October 2023 to March 2024 period, you will need to also consider the additional Classification System requirements to determine how well you meet this mandatory requirement.

For example, if you previously rated yourself as ‘Meets’ for INFOSEC2 but as at March 2024, you have not yet put in place all of the additional capability as defined in the July 2022 updates, then the status of your compliance with this mandatory requirement must reduce (‘Mostly meets’ or lower) as you no do not meet the updated mandatory requirement.

Examples for new Classification capability under the CMM dimensions

Below are a couple examples of the Leadership and Culture capabilities you will need to have in place be considered ‘Managed’.

Dimension	Capability (Managed)	Examples of Evidence
Monitoring and assurance	You are auditing and recording the quality of classification decisions You apply evidence-based performance measures to help track and assess the ongoing success of the information sharing and declassification	Reporting in outcomes of audit and review of classification Evidence of business change based on classification audit and review Process for monitoring classification, declassification, information sharing Audit and review of classification procedures Chief Archivist and Ombudsman feedback
Culture and behaviours	Your people regularly review and challenge classification decisions and learn from mistakes Your people make classification decisions that effectively manage the tension between needing to know (withhold) versus needing to share (open) You understand all the information you hold, and have systems and mechanisms in place to enable sharing to occur with any appropriate partner (including emergency management, communities, and social services) Your staff understand the value of information sharing and are formally empowered to share information appropriately where of value to other agencies	Classification System (including Information sharing and declassification) awareness campaign Information Sharing Plan Information Sharing culture survey Measurement of changes in classification rates, volumes of declassification, decrease in complaints, positive ombudsman reporting

Refer to the Classification System changes to CMM & Moderation Framework (July 2022) for the full set of Classification capability requirements.

See also: Common questions

Page last modified: 20/06/2022