Mandatory requirements

The core governance requirements that mandated government agencies must follow and other organisations should consider as best practice.

GOV1 - Establish and maintain the right governance

Establish and maintain a governance structure that ensures the successful leadership and oversight of protective security risk.

Appoint members of the senior team as:

  • Chief Security Officer (CSO), responsible for your organisation’s overall protective security policy and oversight of protective security practices.
  • Chief Information Security Officer (CISO), responsible for your organisation’s information security.

GOV2 - Take a risk-based approach

Adopt a risk management approach that covers every area of protective security across your organisation, in accordance with the New Zealand standard ISO 31000:2018 Risk management – Guidelines.

Develop and maintain security policies and plans that meet your organisation’s specific business needs. Make sure you address security requirements in all areas: governance, information, personnel, and physical.

GOV3 - Prepare for business continuity

Maintain a business continuity management programme, so that your organisation’s critical functions can continue to the fullest extent possible during a disruption. Ensure you plan for continuity of the resources that support your critical functions.

GOV4 - Build security awareness

Provide regular information, security awareness training, and support for everyone in your organisation, so they can meet the Protective Security Requirements and uphold your organisation’s security policies.

GOV5 - Manage risks when working with others

Identify and manage the risks to your people, information, and assets before you begin working with others who may become part of your supply chain.

GOV6 - Manage security incidents

Make sure every security incident is identified, reported, responded to, investigated, and recovered from as quickly as possible. Ensure any appropriate corrective action is taken.

GOV7 - Be able to respond to increased threat levels 

Develop plans and be prepared to implement heightened security levels in emergencies or situations where there is an increased threat to your people, information, or assets.

GOV8 - Assess your capability

Use an annual evidence-based assessment process to provide assurance that your organisation’s security capability is fit-for-purpose.  Provide an assurance report to Government through the Protective Security Requirements team if requested.

Review your policies and plans every 2 years, or sooner if changes in the threat or operating environment make it necessary.


Page last modified: 4/10/2018