1. About information security
1.1. Understanding and using this Manual
Objective
1.1.1.
The New Zealand Information Security Manual details processes and controls essential for the protection of all New Zealand Government information
and systems. Controls and processes representing good practice are also provided to enhance the baseline controls. Baseline controls are minimum
acceptable levels of controls and are often described as “systems hygiene”.
Context
Scope
1.1.2.
This manual is intended for use by New Zealand Government departments, agencies and organisations. Crown entities, local government and private
sector organisations are also encouraged to use this manual.
1.1.3.
This section provides information on how to interpret the content and the layout of content within this manual.
1.1.4.
Information that is Official Information or protectively marked UNCLASSIFIED, IN-CONFIDENCE, SENSITIVE or RESTRICTED is subject to a single set of
controls in this NZISM. These are essential or minimum acceptable levels of controls (baseline controls) and have been consolidated into a single set
for simplicity, effectiveness and efficiency.
1.1.5.
All baseline controls will apply to all government systems, related services and information. In addition, information classified CONFIDENTIAL, SECRET
or TOP SECRET has further controls specified in this NZISM.
1.1.6.
Where the category “All Classifications” is used to define the scope of rationale and controls in the Manual, it includes any information that is Official
Information, UNCLASSIFIED, IN-CONFIDENCE, SENSITIVE, RESTRICTED, CONFIDENTIAL, SECRET, TOP SECRET or any endorsements, releasability
markings or other qualifications appended to these categories and classifications.
The purpose of this Manual
1.1.7.
The purpose of this manual is to provide a set of essential or baseline controls and additional good and recommended practice controls for use by
government agencies. The use or non-use of good practice controls MUST be based on an agency’s assessment and determination of residual risk
related to information security.
1.1.8.
This manual is updated regularly. It is therefore important that agencies ensure that they are using the latest version of this Manual.
Target audience
1.1.9.
The target audience for this manual is primarily security personnel and practitioners within, or contracted to, an agency. This includes, but is not
limited to:
security executives;
security and information assurance practitioners;
IT Security Managers;
Departmental Security Officers; and
service providers.
Structure of this Manual
1.1.10. This manual seeks to present information in a consistent manner. There are a number of headings within each section, described below.
Objective – the desired outcome when controls within a section are implemented.
Context – the scope, applicability and any exceptions for a section.
References – references to external sources of information that can assist in the interpretation or implementation of controls.
Rationale & Controls
Rationale – the reasoning behind controls and compliance requirements.
Control – risk reduction measures with associated compliance requirements.
1.1.11. This section provides a summary of key structural elements of this manual. The detail of processes and controls is provided in subsequent chapters. It
is important that reference is made to the detailed processes and controls in order to fully understand key risks and appropriate mitigations.
The New Zealand Government Security Classification System
1.1.12. The requirements for classification of government documents and information are based on theCabinet Committee Minute EXG (00) M 20/7 and
CAB (00) M42/4G(4). The Protective Security Requirements (PSR) INFOSEC2 require agencies to use the NZ Government Security Classification
System and the NZISM for the classification, protective marking and handling of information assets. For more information on classification, protective
marking and handling instructions, refer to the Protective Security Requirements, NZ Government Security Classification System.
Key definitions
Accreditation Authority
1
Version_3.5__January-2022