Information security


New Zealand Information Security Manual (NZISM)

The New Zealand Information Security Manual (NZISM) is the New Zealand Government’s manual on information assurance and information systems security.

New Zealand Information Security Manual


Safe, secure and functional information systems are vital for the successful operation of all government organisations. These systems underpin public confidence, support privacy and security and are fundamental to the effective, efficient and safe conduct of public and government business.

The consequences of a security lapse can be significant, regardless of where in an organisation it occurs or how severe it is. These consequences can damage an organisation’s reputation, undermine public confidence and cause significant damage to information systems. The damage can be intensified where a single system is used by multiple agencies.

Governance, assurance and risk

A fundamental part of the NZISM is the clarification of governance requirements, role and authority of the chief and of senior executives, and further clarity on the principal assurance process – the certification and accreditation framework.

Chief Executives or heads of government departments and agencies are ultimately accountable for the management of risk and security within their organisations. Assurance on the governance, management and security of information and information systems is vital in meeting these responsibilities.

Who should use the NZISM?

The NZISM is a practitioner’s manual designed to meet the needs of agency information security executives as well as vendors, contractors and consultants who provide services to agencies. It includes minimum technical security standards for good system hygiene, as well as providing other technical and security guidance for government departments and agencies to support good information governance and assurance practices.

It is consistent with a wide variety of risk management, governance, assurance and technical standards, including the ISO/IEC 2700x series, as well as IETF, OASIS, NIST and other recognised standards bodies.

The NZISM, while intended primarily for the use of government departments and agencies, and their service providers, will be equally useful for Crown Entities, Local Government bodies and private sector organisations.

Page last modified: 4/05/2022