Making the NZ Minimum Cyber Security Standards Work in Practice

New Zealand's Minimum Cyber Security Standards (MCSS) were released in 2025 with the aim of driving sector-wide uplift against foundational cyber security practices, similar in nature to Australia’s Essential Eight or the UK’s Cyber Essentials.

Whilst originally targeted at GCISO-mandated government agencies as a pathway to lifting and benchmarking security practices, non-mandated agencies were also encouraged to adopt and apply the Standards.  

The ten standards were based on an assessment of the most likely vectors for cyber attack and historic incidents responded to with stated aims being to:

• Establish clear foundational controls mapped to New Zealand’s own Cyber Security Framework
• Help agencies understand, benchmark and improve practices against a maturity model
• Generate system insights through mandated agency reporting and allow better oversight of cyber risk and maturity

The first round of reporting has closed - where next?

The minimum maturity level for the first cohort of selected agencies was set at CMM-2 - Planned & Tracked. And the first annual self-assessment cycle against the MCSS ran from 1 November 2025 to 30 April 2026.

Now the NZ Government is starting to broaden the application of the ten security standards out into key supply chains by using the CS-CMM2 level as the minimum level of security assurance required to contract and provide services to the Marketplace supplier environment.

Since February 2026, the Marketplace Security Assurance Tiering Definitions have been updated to specify new requirements for Infrastructure, Telecommunications and Managed Security Services providers.

Tier 2 services will require an appropriate level of security assurance to support Certification and Accreditation activities completed by agencies buying in these providers.

Marketplace providers must now include an independent audit of GCDO defined Organisational Controls at a minimum of the Cyber Security Capability Maturity Model Level 2 (CS-CMM2).

And for Tier 1 providers, this assurance level rises to CS-CMM3 for Physical, Personnel, Multi-Factor Authentication and Least Privilege standards and CS-CMM2 for all other control areas.

How can I leverage the MCSS for my own organisation?

Even if you're not providing services on Marketplace or lining up to respond to government agency tenders, the MCSS still provides a useful functional outline to apply to your own cyber risks.

The MCSS approach differs from broader frameworks like the National Institute of Standards and Technology CSF and ISO 27001.

Where the CSF and ISO27k represent a huge operating overhead for smaller NZ firms, the ten standards are not comprehensive in nature but targeted to risk prioritised activities:

• Risk Management
• Security Awareness
• Asset Importance
• Secure Configuration of Software
• Patching
• Multi-factor Authentication
• Least Privilege
• Detect Unusual Behaviour
• Data Recovery
• Response Planning

Foundational standards are Risk Management, Asset Importance and Least Privilege - without these approaches applied, much of your follow-on activity can be whack a mole in nature or focused on tools over practices.

For example, without clarity over Asset Importance, you can't realistically scope and deliver on Patching, Secure Configuration, or Detection standards.

Manage risk well and any cyber security framework tends to get ticked along the way.

In short, to apply the MCSS and get the most benefit, identify what matters to your business. Build controls that reduce specific risks and then map those to your framework(s).

A compliance-driven implementation will get you to CMM-2, but a risk-based, contextualised approach will have far more value and become evidence of your compliance later on.

What good risk management looks like​

Managing cyber risk requires some core practices:

• It is a business risk to be managed holistically
• Executives must document appetite and tolerance to drive outcomes
• Risk owners must be aware of their responsibilities to move the needle
• Control must be mapped to key risks or are simply hygeine activiites
• The evolving threat landscape demands a schedule risk review, at least quaretrly to determine progress.

And as well as focusing on your own technology assets, ensure your scope includes any outsourced provider. You can outsource the patching, the monitoring, the recovery activities for technology but you cannot outsource the risk.

Key gaps and quick wins for MCSS compliance

In our experience, these are the most common problem areas for NZ businesses seeking CMM-2:

1. Your asset register is a list, not an inventory when you have gaps in knowledge around owners, data, criticality ratings. And when outsourced services don't make the list.
2. Logs may exist but there's no baseline for good and any alerts generated fire off into the void and are missed.
3. Service accounts and shared credentials have never been addressed and an audit trail offers no real insights when required for DFIR.
4. Your Security Incident Response Plan has never been tested - on that basis it's not a plan but a filing exercise.​
5. Security awareness delivered once a year isn't an effective programme for human risk management.
6. Backups exist but restoration has never been tested. Don't let ransomware test your ability to recover systems and data.

Measuring your maturity against New Zealand's Minimum Cyber Security Standards

At Overcyte, we believe the ten minimum cyber security standards represent an exciting opportunity for New Zealand organisations to benchmark their programme against a local, tailored and risk focused framework.

A framework that is sized for smaller organisations seeking to prioritise their security investments, allow accurate measurement of current state and drive changes that will see a practical baseline reached.

We have the MCSS available in the platform today and can help you get your assessment underway.

We're here to help so reach out to our experts for a demo.

This blog is adapted from our May 2026 webinar "From Compliance to Operational Resilience: Making the NZ Minimum Cyber Security Standards Work in Practice."

‍Check out our upcoming webinars for more timely cybersecurity information and read more posts from our founder Aaron Gayton.