ITSMs implement security measures and provide expertise

ITSMs are executives within an organisation. They’re conduits between the strategic directions provided by the CISO and the technical efforts of systems administrators. While a CISO sets the strategic direction for information security, ITSMs manage the implementation of information security measures. 

ITSMs are generally considered the information security experts within their organisations.

Core aspects of the ITSM’s role

ITSMs are responsible for administrative and process controls relating to information security. Core aspects of their work include contributing to:

  • improving the information security of systems
  • providing input to ICT projects
  • assisting other security personnel within their organisation
  • contributing to information security training
  • responding to information security incidents. 

ITSMs can also provide advice for committees, such as information security steering committees, change management committees, or inter-agency committees.

As ITSMs have knowledge of all aspects of information security, they’re best placed to work with ICT project teams to identify and incorporate appropriate information security measures.

To ensure your CISO remains aware of all information security issues, and can brief their agency head when necessary, ITSMs need to provide regular reports on:

  • policy developments
  • proposed system changes and enhancements
  • information security incidents
  • any areas of concern.

While your CISO oversees the development and operation of information security awareness and training programmes, your ITSMs arrange delivery of that training.

Your organisation’s responsibilities with the ITSM role

Your organisation must appoint at least one ITSM. If your organisation is spread across several sites in different locations, you should appoint an ITSM at each major site.

Appointing and clearing ITSMs

Any ITSMs you appoint should:

  • have enough experience, authority, and training to fulfil the role in an organisation of your size or in their area of responsibility within your organisation
  • be independent of any company that provides ICT services (to avoid conflicts of interest).

ITSMs must be:

  • cleared for access to all classified information processed in your organisation’s systems
  • hold a national security clearance that allows them to be briefed on any compartmented information in your organisation’s systems.

ITSMs should not have additional responsibilities beyond those needed to fulfil their role.

Your responsibilities as an ITSM

As an ITSM, you must:

  • assist system owners to obtain and maintain accreditation
  • ensure security risk management plans (SRMPs), systems security plans (SecPlan), and any standard operating procedures (SOPs) for your organisation’s systems are developed, maintained, updated, and implemented.

Working with the CISO

You should work with your CISO to:

  • develop an information security programme
  • develop information security budget projections and resource allocations based on short-and long-term goals
  • undertake and manage projects to address identified security risks.

Working with ICT projects and systems

You should work with ICT project leaders and team members to:

  • identify systems that require information security measures and help with selecting the right measures
  • ensure that information security is included when IT equipment and software is evaluated, selected, installed, configured, and operated.

You should work with enterprise architecture teams to:

  • ensure security risk assessments are incorporated into system architectures
  • identify, evaluate, and select information security solutions that will meet your organisation’s security objectives.

You should also work with ICT system owners, certifiers, and accreditors to:

  • work out which information security policies will best protect the systems
  • ensure consistency with Protective Security Requirements, particularly the relevant NZISM components.

As an ITSM, you should:

  • be included in your organisation’s change management and control processes to ensure that risks are properly identified, and controls are properly applied to manage those risks
  • notify the accreditation authority of any significant change that may affect the accreditation of that system.

Working with vendors

You should liaise with vendors and with purchasing and legal people in your organisation to establish mutually acceptable information security contracts and service-level agreements.

Implementing security

To implement security measures, you should:

  • conduct security risk assessments on any implementation plans for new or updated IT equipment or software, and develop risk mitigation strategies if necessary
  • ensure information security policies are robust by selecting and coordinating the implementation of controls that support and enforce them
  • lead and direct the integration of information security strategies and architecture with business and ICT strategies and architecture
  • provide technical and managerial expertise for the administration of information security management tools.

Reporting and auditing

You should:

  • coordinate, measure, and report on technical aspects of information security management
  • monitor and report on your organisation’s compliance with, and enforcement of, information security policies
  • report regularly on information security incidents and other areas of concern to your CISO
  • assess and report on threats, vulnerabilities, and residual security risks
  • recommend remedial actions to reduce risks
  • assist system owners and security personnel to understand and respond to audit failures reported by auditors.

Assisting with disaster recovery

You should assist the team responsible for disaster recovery planning with:

  • selecting recovery strategies
  • developing, testing, and maintaining disaster recovery plans.


You should:

  • provide or arrange information security awareness and training for everyone in your organisation
  • develop technical information materials and workshops on information security trends, threats, good practices, and control mechanisms as appropriate.

Providing up-to-date security knowledge

As an ITSM, you should:

  • maintain an up-to-date security knowledge base comprising of a technical reference library, security advisories and alerts, information on security trends and practices, relevant laws and regulations, and standards and guidelines
  • provide expert guidance on security matters for ICT projects
  • provide technical advice for your information security steering committee, change management committee, and any other committees as required
  • maintain an up-to-date and accurate understanding of the threat environment relating to systems and pass this information to system owners so it’s considered during accreditation activities
  • keep the CISO and system owners informed with up-to-date information on current threats.

Page last modified: 4/05/2022