GOV1

Agencies must establish a governance structure within their agency that ensures the successful management of protective security risk.

GOV2

Agencies must appoint a member of senior management as the Chief Security Officer (CSO), responsible for the agency protective security policy and oversight of protective security practices.

GOV3

Agencies must adopt a risk management approach to cover all areas of protective security activity across their organisation, in accordance with the New Zealand standard AS/NZS ISO 31000:2009 Risk Management – Principles and Guidelines.

GOV4

Agencies must develop their own set of protective security policies, plans and protocols to meet their specific business needs.  Policies and plans must be reviewed every two years or sooner if changes in risks or the agency’s operating environment dictate

GOV5

Agencies must have an assurance system to conduct an annual security assessment against the mandatory requirements detailed within the Protective Security Requirements.  Agencies must be prepared to report this assessment information upon request from lead security agencies.

GOV6

Agencies must provide all staff, including contractors, with sufficient information and security awareness training to meet the obligations of the Protective Security Requirements.

GOV7

Agencies must have established procedures for reporting and investigating security incidents, and for taking corrective action.

GOV8

Agencies must ensure contracted providers comply with the Protective Security Requirements and agency-specific protective security protocols.

GOV9

Agencies must adhere to any provisions concerning the security of people, information and assets contained in multilateral or bilateral agreements and arrangements to which New Zealand or the agency is a party.

GOV10

Agencies must establish a business continuity management (BCM) programme to provide for the continued availability of critical services and assets, and of other services and assets when warranted by a security threat or risk assessment.