About the PSR

Assurance Framework

Information to help your organisation assess, assure, and report on your security capability maturity

On this page

Key steps to PSR Assurance

Use these steps to achieve a consistent approach to assessing protective security capability and compliance in organisations. This is to help:

  • identify areas of focus and address these through mitigation and education actions
  • evaluate the effectiveness of their protective security practices
  • improve their protective security policies and procedures.

1. Set target maturity

  • PSR capability maturity model (PS-CMM) levels have been updated.
  • Target the minimum baseline protective security maturity level (PS-CMM 2), or select a higher target, based on your risk assessment.

2. Gather / review evidence

  • The reporting period is 1 January to 31 December.
  • Identify what has changed since your last PSR self-assessment. Gather and review evidence.  Evidence guides have been updated. More guidance has been provided.
  • You can record your evidence in your PSR Self-Assessment Tool but this isn't mandatory.

3. Complete PSR Self-Assessment Tool

  • Answer questions in the new PSR Self-Assessment Tool to confirm if the measures required by the PSR are in place. Possible answers are: Yes, Partial, No, N/A, or Alternate control.
  • Add commentary to support your moderation activities and provide explanations for your answers including identifying gaps and plans for improvement.

4. Verify your self-assessment

  • We recommend that you independently verify (aka moderate) your self-assessment to provide confidence in the results. You can undertake this internally or on occasion externally.
  • Adjust your answers in the PSR Self-Assessment Tool where required.

5. Secure executive sign off

  • Complete a PSR Assurance Report summarising the finding for your Chief Executive. Draw on the tables, graphs, and results from your completed PSR Self-Assessment Tool.
  • Obtain Chief Executive approval and sign off.

6. Report to us

  • Email a copy of your final PSR Self-Assessment Tool and PSR Assurance Report to the PSR Unit by 30 April.
  • These reports inform system-level analysis on protective security capability.

7. Prioritise and plan improvements

  • Prioritise identified security capability gaps, areas of risk exposure, and planned improvements and maintain a security improvement roadmap.

PSR Assurance Framework resources

The following resources have been created to support organisations in undertaking the annual PSR assurance process.

Document name Description Use in step
PSR Assurance Framework Guide [PDF, 864 KB] An updated PSR Capability Maturity Model (PS-CMM) with checklists to help organisations select capability maturity targets demonstrating specific capability and measures expected for each security domain at each capability maturity level. All steps
PSR Self-Assessment Tool An updated guide to support organisations when gathering evidence and undertaking moderation of the PSR self-assessment. All steps
Enterprise Security Risk CMM Calculator [XLSX, 65 KB] A tool to help an organisation assess and decide their target capability maturity level. The calculator provides a set of general organisational characteristics and qualities that may influence security risks in their environment. Step 1
PSR Capability Maturity Model [PDF, 532 KB] An updated PSR Capability Maturity Model (PS-CMM) with checklists to help organisations select capability maturity targets demonstrating specific capability and measures expected for each security domain at each capability maturity level. Steps 1 – 4
PSR Moderation Framework [PDF, 376 KB] An updated guide to support organisations when gathering evidence and undertaking moderation of the PSR self-assessment. Step 2 (evidence guide)
Step 4 (moderation)
PSR Self-Assessment CMM and Moderator Tool A tool for use by moderators or auditors when verifying an organisation’s PSR self-assessment. The tool outlines the questions in the PSR Self-Assessment Tool, showing the relevant requirement in the PSR Capability Maturity Model (PS-CMM) and provides a moderation area to track the original answer provided and a moderated answer (if different) and provide any moderation commentary as appropriate. Step 4
PSR Assurance Report template – Original

A mandatory reporting template used to summarise the results for the Chief Executive from the PSR assurance round for the year.

Two templates provided – original and portrait.

 Steps 5 – 6 
PSR Assurance Report template – Portrait
PSR Security Measures Roadmap [XLSX, 77 KB]

An optional PSR roadmap template to track the security measures in place, are putting in place, and are planning to put in place to protect its people, information, and assets.

 Step 7
PSR Policy Framework

Refer to the PSR Policy Framework documents for more information and guidance on appropriate mandatory and recommended security measures.

 All steps

Indicative approach for the assurance round

The following is an indicative approach and timeline for undertaking the annual assurance process. Use this as a guide when establishing your plan and assigning roles and responsibilities for assurance activities.

October – December January – February March – April

Round opens by 1 November

Planning and preparation

  • Assign responsibility for coordinating & overseeing PSR assurance process
  • Attend PSR training & drop-ins as required
  • Review all new materials
  • Plan assurance approach and timeframe for your organisation
  • Share assurance framework and information with relevant people

Begin assurance process

  • Step 1: Review security inherent risk levels and set target maturity levels
  • Step 2: Gather / review evidence
  • Step 3: Start self-assessment (baseline / stock take)
  • Step 4: Engage moderator / reviewer

Continue assurance process

  • Step 3: Assess initial findings / gaps and residual risks; identify alternate measures if exist & update self-assessment
  • Review findings with CSO & plan improvements and governance review / sign out process
  • Complete self-assessment tool including notes and evidence references if required
  • Step 4: Start verification / moderation
  • Step 5: Draft PSR Assurance Report
  • Plan governance / CE sign off
  • Step 7: Plan PSR roadmap and identify any resourcing requirements for approval

Finalise and submit

  • Step 4: Complete verification / moderation
  • Step 5: Finalise PSR assurance report
  • Secure governance / CE sign off
  • Step 6: Report to PSR by 30 April
  • Step 7: Finalise and agree PSR roadmap activities for 2026/27

Also see the PSR Assurance Framework Guide [PDF, 864 KB] for more tips and ideas for ensuring the round is successful.

Reporting on PSR capability and compliance

Certain organisations must report, externally and in writing, on their protective security capability and compliance with the mandatory requirements of the PSR. Other organisations are encouraged to voluntarily report.

External reporting will confirm that:

  • they have undertaken an assessment against the mandatory requirements
  • compliance for each mandatory requirement is being effectively managed
  • any unacceptable risk relating to these mandatory requirements has been treated appropriately
  • they have a plan in place to reach and maintain the appropriate level or protective security capability based on their risk profile
  • their compliance obligations have been met.

Organisations should also advise any non-compliance with specific PSR mandatory requirements to the relevant organisations listed below.

  • The Director – General, Government Communication Security Bureau (GCSB) for matters relating to CONFIDENTIAL and above material and the New Zealand Government Information Security Manual (nzism.gcsb.govt.nz)(external link).
  • The Government Chief Information Officer (GCIO) for matters relating to Information and Communications Technology (ICT) risk.
  • The Director – General of Security New Zealand Security Intelligence Service (NZSIS) for matters relating to national security.
  • The heads of any organisations whose people, information or assets may be affected by the organisation's capability and/or non-compliance if not already advised when the non-compliance was first identified.

Reporting benefits

Compliance with the mandatory requirements will assist organisations to attain effective and appropriate protective security management in line with the New Zealand government's expectations.

Compliance with the PSR provides benefits to government, portfolios and organisations.

Benefits to the New Zealand government include:

  • providing a mechanism to assure the government that sound and responsible protective security occurs across government
  • enabling the identification of any serious or systemic protective security issues across government, which can then be addressed through policy changes and education programmes
  • enabling the government to identify and implement better practice protective security
  • enabling, where appropriate, the communication to ministers of significant compliance issues within their portfolios
  • promoting intra-portfolio cooperation between organisations to address portfolio-wide issues.

The information provided will be used to inform whole-of-government protective security status reporting.

Benefits to your organisation include:

  • the ability to identify areas of low protective security capability and address any issues on a timely basis
  • knowledge gained by one organisation can be captured and issued to all relevant organisations, improving the efficiency and effectiveness of protective security practices
  • assurance about the security of information and asset sharing arrangements.

Report to the PSR

If you would like to volunteer your organisation to participate in the next assurance round and report to PSR, please get in touch.