1.1.13. The Agency Head is generally the Accreditation Authority for that agency for all systems and related services up to and including those classified
RESTRICTED. See also Chapter 3 – Roles and Responsibilities and Section 4.4 – Accreditation Framework.
1.1.14. Agency heads may choose to delegate this authority to a member of the agency’s executive. The Agency Head remains accountable for ICT risks
accepted and the information security of their agency.
1.1.15. In all cases the Accreditation Authority will be at least a senior agency executive who has an appropriate level of understanding of the security risks
they are accepting on behalf of the agency.
1.1.16. For multi-national and multi-agency systems the Accreditation Authority is determined by a formal agreement between the parties involved.
Consultation with the Office of the Government Chief Digital Officer (GCDO) may also be necessary.
1.1.17. For agencies with systems that process, store or communicate NZEO or information compartmented for national security reasons, the Director-General
of the GCSB is the Accreditation Authority irrespective of the classification level of that information.
Certification and Accreditation Processes
1.1.18. Certification and accreditation of information systems is the fundamental governance process by which the risk owners and agency head derive
assurance over the design, implementation and management of information systems and related services provided to or by government agencies.
This process is described in detail in Chapter 4 – System Certification and Accreditation.
1.1.19. Certification and Accreditation are two distinct processes.
1.1.20. Certification is the formal assertion that an information system and related services comply with minimum standards and agreed design, including any
security requirements.
1.1.21. In all cases, certification and the supporting documentation or summary of other evidence will be prepared by, or on behalf of, the host or lead agency.
The certification is then provided to the Accreditation Authority.
1.1.22. Accreditation is the formal authority to operate an information system and related services, and requires the recognition and acceptance of associated
risk and residual risks.
1.1.23. A waiver is NOT an exception (see below). A waiver is the formal acknowledgement that a particular compliance requirement of the NZISM cannot
currently be met. A waiver is granted by the Accreditation Authority on the basis that full compliance with the NZISM is achieved or compensating
controls are implemented within a time specified by the Accreditation Authority. Waivers are valid in the short term only and full accreditation cannot
be granted until all conditions of the waiver have been met. The need for a waiver may occur when specified controls cannot be practically
implemented because of technology, resource or other serious limitations. It is essential that risk is managed through the application of specified
conditions.
1.1.24. An exception is NOT a waiver (see preceding paragraph). An exception is the formal acknowledgement that a requirement of the NZISM cannot be met
and that a dispensation from the particular compliance requirement is granted by the Accreditation Authority. This exception is valid for the term of
the Accreditation Certificate or some lesser time as determined by the Accreditation Authority. This may occur, for example, the system is to be in use
for a very short time (usually measured in hours), or the requirement cannot be met and there is no viable alternative. It is essential that any
consequential risk is acknowledged and appropriate measures are taken to manage any increased risk.
1.1.25. The requirements described above are summarised in the table below. Care MUST be taken when using this table as there are numerous
endorsements, caveats and releasability instructions in the New Zealand Government Security Classification System that may change where the
authority for accreditation lies.
Information Classification
Information classified
■ RESTRICTED and below,
including and Official
UNCLASSIFIED
Information
2
MUST and MUST NOT controls
Controls are baseline or “systems
hygiene” controls and are essential
for the secure use of a system or
service. Non-use is high risk and
mitigation is essential.
If the control cannot be directly
implemented, suitable compensating
controls MUST be selected to
manage identified risks.
The Accreditation Authority may
grant a Waiver or Exception from a
specific requirement if the level of
residual risk is within the agency’s
risk appetite.
Some baseline controls cannot be
individually risk managed by
agencies without jeopardising multiagency, All-of-Government or
international systems and related
information.
SHOULD and SHOULD NOT controls
Control represents good and
recommended practice. Non-use
may be medium to high risk.
Non-use of controls is formally
recorded, compensating controls
selected as required and residual
risk acknowledged to be within the
agency’s risk appetite and formally
agreed and signed off by the
Accreditation Authority.
Accreditation Authority
Agency Head/Chief
Executive/Director General (or
formal delegate)
Version_3.5__January-2022