Physical security


Introduction to physical security for ICT systems

ICT systems are protected by a combination of physical and logical controls. Logical access controls are detailed in the New Zealand Information Security Manual.

In some cases, the increased level of protection logical controls provide may mean you can reduce your use of physical controls.

Make sure you refer to security requirements for ICT systems and electronic information in your organisation’s business continuity plans, and other disaster response and recovery plans.

You may need to consult the Government Communications Security Bureau (GCSB) before you install ICT systems.

Exceptions come with conditions

If your organisation doesn’t apply the logical controls identified in the New Zealand Information Security Manual, you must meet or exceed (based on your risk assessment) the controls identified in the Design physical security early.

You should also:

  • ensure your chief security officer (CSO) is involved in planning processes for ICT systems, so that the physical security requirements are suitable for the ICT equipment and operations
  • restrict access to ICT equipment used to store or process official information to authorised people with a need-to-know
  • provide physical security to all components of your ICT systems, including cabling, taking into account the level of protection given by any encryption.

More guidance:

For more guidance on ICT system security, refer to the following documents.



Page last modified: 19/09/2019