Information security

INF024

Classify and assign protective markings

Based on the value of your information and equipment, classify and assign protective markings to inform your people on how to handle the information and protect it from harm.   

Use the New Zealand Government Security Classification System

All New Zealand Government agencies must follow the New Zealand Government Security Classification System. It informs agencies about their responsibilities for assessing, classifying, managing, and controlling official information. 

The system is intended for use by all New Zealand government employees, contractors, and anyone else with access to official information. The system helps you to:

  • identify the protection requirements for official information
  • understand the security classifications, your responsibilities, and what they mean for your agency’s official information
  • apply appropriate protective markings and endorsements to your agency’s official information
  • implement policies and practices for information security classification within your agency.

Overview of security classifications

A security classification specifies how people must protect the information and equipment they handle.

Security classifications can be divided into two types of information:

  • policy and privacy information
  • national security information.

The classifications for material that should be protected because of public interest or personal privacy are:

  • IN CONFIDENCE
  • SENSITIVE.

The classifications for material that should be protected because of national security are:

  • RESTRICTED
  • CONFIDENTIAL
  • SECRET
  • TOP SECRET.


Relationship with Business Impact Levels

At times, there may be a relationship between security classifications for official information and BILs. The security classifications directly match the BILs when considering the confidentiality of individual documents or files. However, this does not necessarily apply to collections of assets.

However, a protective marking, or confidentiality, of an asset isn’t the only factor to consider when you work out a BIL. You need to consider all factors affecting the security of an asset before you apply a BIL. BILs also need to consider integrity and availability.

The table below shows the likely relationship between protective markings and BILs:

Likely relationship between protective markings and BILs for individual files or documents

Protective marking level Business Impact Levels
UNCLASSIFIED (may not be marked) 1 Low
IN CONFIDENCE 2 Medium
SENSITIVE or RESTRICTED 3 High
CONFIDENTIAL 4 Very High
SECRET 5 Extreme
TOP SECRET 6 Catastrophic


Consider extra security for collections of information

Consider extra security measures for collections of information (aggregated information). Aggregated information can be more valuable than the single pieces of information it’s made up of, so your organisation might need extra security measures to protect it. Ask yourself ‘What could be deduced if the collection were breached?’

Aggregated information includes collections of physical documents and collections of information stored in your ICT systems.

The Business Impact Levels (BILs) is a tool that can be used to assess the value of your aggregated information and what impact might occur if the confidentiality, integrity or availability of your aggregated information is compromised.

Classify and label government equipment

Classify and label New Zealand Government equipment in line with Product Classifying and Labelling — NZISM.

Page last modified: 2/10/2018