The purpose of these requirements is to:
- provide a consistent and structured approach to determining the security measures for events planned, organised and managed by New Zealand government agencies
- ensure the safety of people, information and assets at an event
- help to establish consistent terminology relating to event security across the New Zealand government
- help agencies use these requirements to the extent possible for any unplanned events.
The audience for these requirements is:
- New Zealand government security management staff
- event managers
- any other body or person responsible for the security of people, information or assets at a New Zealand government event.
These requirements cover the provision of a safe and secure environment at New Zealand government events or events that the New Zealand Government believes are in the national interest such as the Commonwealth Games and Pacific Island Forum.
They also cover the protective security measures New Zealand government agencies should employ to protect the people, information and assets at events they organise, including where the agency has contracted a service provider to facilitate the event.
They may be useful when liaising with inter-jurisdictional agencies or event management organisations on security requirements for special events.
The New Zealand Government expects its agencies to give due consideration to the security of all events they manage, plan or host, whether organised by the agency or outsourced.
1.4 Compliance requirements
A control with a ‘must’ or ‘must not’ compliance requirement indicates that use of the control is mandatory. These are the baseline controls unless the control is demonstrably not relevant to the respective agency and can be clearly demonstrated to the agency head or accreditation authority.
A control with a ‘should’ or ‘should not’ requirement indicates that use of the control is considered good and recommended practice. Valid reasons for not implementing a control could exist, including:
- a control is not relevant because the risk does not exist
- or a process or control(s) of equal strength has been substituted.
Agencies must recognise that not using a control without due consideration may increase residual risk for the agency. This residual risk needs to be agreed and acknowledged by the agency head. In particular an agency should pose the following questions:
- Is the agency willing to accept additional risk?
- Have any implications for All of Government security been considered?
- If so, what is the justification?
A formal auditable record of this consideration and decision is required as part of the governance and assurance processes within an agency.
The PSR provides agencies with mandatory and best practice security measures.
The controls detailed above describe if and when agencies need to consider specific security measures to comply with the mandatory requirements.
Where legislative requirements prescribe higher controls than identified in these requirements, the controls required by legislation take precedence and need to be applied.
Agencies need to also consider their obligations under New Zealand legislation and conventions for the protection of foreign dignitaries attending their events.