Skip to main content

Director-General's Foreword



Welcome to the new, digital, version of the New Zealand Information Security Manual (NZISM).

The web-based publication has been developed to improve the accessibility and usability of GCSB’s key information security guidance.

Enhancements over the previous PDF document format include the ability to export controls in machine readable formats, the introduction of fixed control identification numbering, and advanced search features.

The NZISM is an integral part of the Protective Security Requirements (PSR) framework which sets out the New Zealand Government’s expectations for the management of personnel, information and physical security as directed by Cabinet.

Security agencies are involved in an ongoing process to update and increase the accessibility of these security frameworks and guidance.

Application of the PSR and NZISM are vital for the successful operation of government organisations and underpin public confidence by supporting privacy and security.

Chief executives and senior leaders in government agencies are ultimately accountable for the management of risk, including security risks, within their organisations. In the face of globally rising cyber threats, it is vital that agency executives, particularly those with information security governance responsibilities, keep abreast of technology challenges and threats and update their organisation’s risk and security practices accordingly. This refreshed NZISM supports executives to discharge their risk management responsibilities.

The NZISM is tailored to meet the needs of agency information security executives as well as practitioners, vendors, contractors and consultants who provide information and technology services within or to government agencies. This version continues the regular update and enhancement of the technical and security guidance for government agencies to support good information assurance practices. It is consistent with recognised international standards to support agencies’ own approaches to risk management.


Andrew Hampton
Government Communications Security Bureau