Mandatory requirements

The core information security requirements that mandated government agencies must follow and other organisations should consider as best practice.

INFOSEC1 - Understand what you need to protect

Identify the information and ICT systems that your organisation manages. Assess the security risks (threats and vulnerabilities) and the business impact of any security breaches.

INFOSEC2 - Design your information security

Consider information security early in the process of planning, selection, and design.

Design security measures that address the risks your organisation faces and are consistent with your risk appetite. Your security measures must be in line with:

• the New Zealand Government Security Classification System
• the New Zealand Information Security Manual
• any privacy, legal, and regulatory obligations that you operate under.

Adopt an appropriate information security management framework that is appropriate to your risks.

INFOSEC3 - Validate your security measures

Confirm that your information security measures have been correctly implemented and are fit for purpose.

Complete the certification and accreditation process to ensure your ICT systems have approval to operate.

INFOSEC4 - Keep your security up to date

Ensure that your information security remains fit for purpose by:

• monitoring for security events and responding to them
• keeping up to date with evolving threats and vulnerabilities
• maintaining appropriate access to your information.

Page last modified: 4/05/2022