Physical security

PHY019

Physical protection of information

Protecting single items or limited amounts of information

Your organisation must protect individual documents in line with the Management protocol for information security and its associated requirements.

Material with a compartmented marking, such as a codeword or SCI, may need additional mandatory security controls.

Provide physical protection for hardcopy and electronic information according to its Business Impact Level (BIL).

A ‘limited amount of information’ means a grouping of information that doesn’t result in a higher BIL or need a higher protective marking than the information collection that it comes from.

The relationship between BILs and classification levels

At times, there may be a relationship between security classifications for official information and BILs. The security classifications directly match the BILs when considering the confidentiality of individual documents or files. However, this does not necessarily apply to collections of assets. For example, within a collection of assets with a aggregated business impact level of 4, each individual item might not be marked as CONFIDENTIAL.

However, a protective marking, or confidentiality, of an asset isn’t the only factor to consider when you work out a BIL. You need to consider all factors affecting the security of an asset before you apply a BIL. BILs also need to consider integrity and availability.

The following tables summarises the likely links between protective markings and BILs of individual documents or limited amounts of information.

Individual document marking

Business Impact Level

UNCLASSIFIED (may not be marked) 1 Low
IN CONFIDENCE 2 Medium
SENSITIVE OR RESTRICTED 3 High
CONFIDENTIAL 4 Very High
SECRET 5 Extreme
TOP SECRET 6 Catastrophic


Protecting aggregated information

Aggregated information means collections of protectively-marked or unclassified official information. For example, collections of electronic information.

When information is aggregated, it often becomes more valuable and needs greater protection.

Your organisation must implement physical security measures to mitigate the risks associated with aggregated information. 

For more guidance, go to:

Protecting information with a catastrophic BIL

TOP SECRET or aggregated information that could cause catastrophic damage to New Zealand’s national security if its security was breached, can only be stored in an area certified by the New Zealand Security Intelligence Service (NZSIS). You need their certification before you first use an area and after any modifications to it.

You can arrange for another agency to hold your TOP SECRET information if you don’t have suitable facilities or the cost of establishing facilities is not justifiable. However, if your organisation owns the information, you must provide security containers for holding the information and control access into the containers.

Page last modified: 10/02/2020