Mandatory requirements
-
Information security
- Why information security matters
- Mandatory requirements
- Management protocol for information security
- Take a risk-based approach to information security
- Creating a security culture
- Adopt a framework to manage information security
- Understand the information security lifecycle
- New Zealand Information Security Manual (NZISM)
- Managing specific scenarios
-
Governance
- Why governance matters
- Mandatory requirements
- Implementing a risk-based approach to protective security
- Protective security roles and responsibilities
- Applying Business Impact Levels
- Developing security alert levels
- Build security awareness
- Reporting incidents and conducting security investigations
- Business continuity management
- Supply chain security
- Working away from the office
GOV002
Mandatory requirements
The core governance requirements that mandated government agencies must follow and other organisations should consider as best practice.
GOV1 - Establish and maintain the right governance
Establish and maintain a governance structure that ensures the successful leadership and oversight of protective security risk.
Appoint members of the senior team as:
- Chief Security Officer (CSO), responsible for your organisation’s overall protective security policy and oversight of protective security practices.
- Chief Information Security Officer (CISO), responsible for your organisation’s information security.
GOV2 - Take a risk-based approach
Adopt a risk management approach that covers every area of protective security across your organisation, in accordance with the New Zealand standard ISO 31000:2018 Risk management – Guidelines.
Develop and maintain security policies and plans that meet your organisation’s specific business needs. Make sure you address security requirements in all areas: governance, information, personnel, and physical.
GOV3 - Prepare for business continuity
Maintain a business continuity management programme, so that your organisation’s critical functions can continue to the fullest extent possible during a disruption. Ensure you plan for continuity of the resources that support your critical functions.
GOV4 - Build security awareness
Provide regular information, security awareness training, and support for everyone in your organisation, so they can meet the Protective Security Requirements and uphold your organisation’s security policies.
GOV5 - Manage risks when working with others
Identify and manage the risks to your people, information, and assets before you begin working with others who may become part of your supply chain.
GOV6 - Manage security incidents
Make sure every security incident is identified, reported, responded to, investigated, and recovered from as quickly as possible. Ensure any appropriate corrective action is taken.
GOV7 - Be able to respond to increased threat levels
Develop plans and be prepared to implement heightened security levels in emergencies or situations where there is an increased threat to your people, information, or assets.
GOV8 - Assess your capability
Use an annual evidence-based assessment process to provide assurance that your organisation’s security capability is fit-for-purpose. Provide an assurance report to Government through the Protective Security Requirements team if requested.
Review your policies and plans every 2 years, or sooner if changes in the threat or operating environment make it necessary.
Page last modified: 3/05/2022