Self assessment & reporting

SAR007

Reporting protective security capability and compliance

Certain organisations must report, externally and in writing, on their protective security capability and compliance with the mandatory requirements of the PSR.

External reporting will confirm that:

  • they have undertaken an assessment against the mandatory requirements
  • compliance for each mandatory requirement is being effectively managed
  • any unacceptable risk relating to these mandatory requirements has been treated appropriately
  • they have a plan in place to reach and maintain the appropriate level or protective security capability based on their risk profile
  • their compliance obligations have been met.

The written report from the agency head must:

  • contain a declaration of compliance with the mandatory requirements
  • where not compliant, state any areas of non-compliance, identifying:
    • details on measures taken to mitigate identified risks
    • areas of non-compliance requiring further action
    • any proposed future measures to address non-compliance
    • any residual risks.

Agencies should also advise any non-compliance with specific PSR mandatory requirements to the relevant agencies listed below.

  • The Director - General, Government Communication Security Bureau (GCSB) for matters relating to CONFIDENTIAL and above material and the New Zealand Government Information Security Manual.
  • The Government Chief Information Officer (GCIO) for matters relating to Information and Communications Technology (ICT) risk.
  • The Director - General  of Security New Zealand Security Intelligence Service (NZSIS) for matters relating to national security.
  • The heads of any agencies whose people, information or assets may be affected by the agency's capability and/or non-compliance if not already advised when the non-compliance was first identified.
    Agencies should advise the GCSB, NZSIS or affected agencies, as applicable, at the time of any incident.

Also refer to the Reporting incidents and conducting security investigations

Page last modified: 4/05/2022