Agencies must establish a governance structure within their agency that ensures the successful management of protective security risk.


Agencies must appoint a member of senior management as the Chief Security Officer (CSO), responsible for the agency protective security policy and oversight of protective security practices.


Agencies must adopt a risk management approach to cover all areas of protective security activity across their organisation, in accordance with the New Zealand standard AS/NZS ISO 31000:2009 Risk Management – Principles and Guidelines.


Agencies must develop their own set of protective security policies, plans and protocols to meet their specific business needs.  Policies and plans must be reviewed every two years or sooner if changes in risks or the agency’s operating environment dictate


Agencies must have an assurance system to conduct an annual security assessment against the mandatory requirements detailed within the Protective Security Requirements.  Agencies must be prepared to report this assessment information upon request from lead security agencies.


Agencies must provide all staff, including contractors, with sufficient information and security awareness training to meet the obligations of the Protective Security Requirements.


Agencies must have established procedures for reporting and investigating security incidents, and for taking corrective action.


Agencies must ensure contracted providers comply with the Protective Security Requirements and agency-specific protective security protocols.


Agencies must adhere to any provisions concerning the security of people, information and assets contained in multilateral or bilateral agreements and arrangements to which New Zealand or the agency is a party.


Agencies must establish a business continuity management (BCM) programme to provide for the continued availability of critical services and assets, and of other services and assets when warranted by a security threat or risk assessment.