NZ Proposes Minimum Cyber Security Standards for Government Agencies

New Zealand's National Cyber Security Centre (NCSC) has released draft Minimum Cyber Security Standards this week with the aim of uplifting practices at the country's core government agencies.

The standards form part of a broader consultation on enhancing security assessments for protective security programmes and were developed under the Government Chief Information Security Officer (GCISO) mandate.

Utilising a Capability Maturity Model (CMM) approach, they establish minimum cyber security expectations for the 37 mandated agencies covered under the PSR framework which is operated by the New Zealand Security Intelligence Service.

Getting the basics right

NCSC states that the 10 new standards are "designed to focus on the basics" and will sit between two existing security approaches - the substantial New Zealand Information Security Manual (NZISM) and the NCSC's Cyber Security Framework, a localised 'fork' of the American NIST CSF.

The 10 standards provide a holistic approach to cyber security efforts and, unlike the CIS Critical Controls or the Australian Essential Eight which are primarily focused on technical controls, include foundational areas such as risk management and security awareness:

1. Security Awareness
2. Risk Management
3. Assets and their Importance
4. Secure Software Configuration
5. Patching
6. Multi-factor Authentication
7. Detect Unusual Behaviour
8. Least Privilege
9. Data Recovery
10. Response Planning

The consultation lasts until 4th July 2025 and feedback will then be used to shape the final standards.

These are planned to be published in October 2025 with NZ Government agencies directed to report back on their implementation as part of the revised PSR assurance reporting process in April 2026.

Assessing your security maturity

The standards include a capability maturity model that help agencies assess their compliance maturity and identify actions for improvement. Criteria for ratings between CMM1 and CMM5 are prescribed in the draft document with CMM2 set as the minimum. CMM2 is described as:

Security capability is well formed in designated business units. The security policies, capabilities, control and practices are in place and repeatable. They are designed to meet the organisation’s core security requirements.

Each topic area sets out control intent, actions, dependencies and measurable outcomes to drive continuous security uplift through ongoing self-assessment. The applicable NZISM controls are also referenced and remain relevant.

NCSC expects widespread interest in the new standards by other organisations and suppliers to government - not just the 37 agencies - and there is the potential for New Zealand to drive a broader national security programme, similar to the effect of the UK's long established Cyber Essentials scheme into supply chains.

Preparing for compliance

The NCSC states that the NZISM "remains our comprehensive technical controls catalogue for mandated agencies" but anticipates the new standards will drive sector-wide uplift against foundational cyber security practices.

On that basis, they should provide a welcome new approach to inspire the country's lightly regulated businesses to invest in cyber security measures deemed to be a 'minimum effort'.

Overcyte will be including the Standards into our platform once finalised later this year as the timeline for action approaches. For now, review the draft document published online and start working on an initial gap analysis to determine where your organisation sits on the maturity rating scales and what improvements you can prioritise before the end of 2025.