Agencies must address information security requirements through the development and implementation of an information security policy as part of the agency security plan.


Agencies must establish a framework to provide direction and coordinated management of information security. Frameworks must be appropriate to the level of security risk in the agency’s information environment and consistent with business needs and legal obligations.


Agencies must implement policies and protocols for the protective marking and handling of information assets in accordance with the Protective Security Requirements New Zealand Government Security Classification System and the New Zealand Information Security Manual.


Agencies must document and implement operational procedures and measures to ensure information, systems development and systems operations are designed and managed in accordance with security, privacy, legal and regulatory obligations under which the agency operates.


Agencies must ensure there is a formal process to approve ICT systems to operate. This process, known as ‘certification and accreditation’, is an essential component of the governance and assurance of ICT systems and supports risk management. The process is described in the New Zealand Information Security Manual.