New Zealand Information Security Manual (NZISM)

This download includes the New Zealand Information Security Manual there are no mapped questions. Use this download if you just want the provisions and you want to create your own question set.

The purpose of this manual is to provide a set of essential or baseline controls and additional good and recommended practice controls for use by government agencies. The use or non-use of good practice controls MUST be based on an agency’s assessment and determination of residual risk related to information security.

This manual seeks to present information in a consistent manner. There are a number of headings within each section, described below.

Objective – the desired outcome when controls within a section are implemented.

Context – the scope, applicability, and any exceptions for a section.

References – references to external sources of information that can assist in the interpretation or implementation of controls.

Rationale – the reasoning behind controls and compliance requirements.

Control – risk reduction measures with associated compliance requirements.

The requirements for the classification of government documents and information are based on the Cabinet Committee Minute EXG (00) M 20/7 and CAB (00) M42/4G(4). The Protective Security Requirements (PSR) INFOSEC2 require agencies to use the NZ Government Security Classification System and the NZISM for the classification, protective marking, and handling of information assets. For more information on classification, protective marking, and handling instructions, refer to the Protective Security Requirements, NZ Government Security Classification System.

The target audience for this manual is primarily security personnel and practitioners within, or contracted to, an agency. This includes, but is not limited to:

• Security executives;
• Security and information assurance practitioners;
• IT Security Managers;
• Departmental Security Officers; and
• Service providers.