Information security

Based on the risks your organisation faces, you will need to design the appropriate information security measures your organisation needs to protect your information’s confidentiality, integrity and availability.


As you plan changes to your information landscape, you will need to reconsider your existing security measures and extend them appropriately. The New Zealand Information Security Manual (NZISM) specifies mandatory baseline controls for New Zealand Government agencies, based on the classification of your information, and a series of additional controls to treat your identified risks.

INFOSEC2 - Design your information security

Consider information security early in the process of planning, selection, and design. Design security measures that address the risks your organisation faces and are consistent with your risk appetite. Your security measures must be in line with: • the New Zealand Government Security Classification System • the New Zealand Information Security Manual • any privacy, legal, and regulatory obligations that you operate under. Adopt an appropriate information security management framework that is appropriate to your risks.

Use multiple layers of security - 'defence in depth'

Effective security for an information asset can be achieved by using several different layers of security measures. This approach is referred to as 'defence in depth' — the security of an asset is not significantly reduced with the loss or breach of any single layer of security.

Address all the points where your information security could be breached

When you design your security measures, address your critical information security risks and vulnerabilities including your cyber-security threats, information security culture, security products, and processes.