New Zealand’s National Cyber Security Centre (NCSC) has introduced ten Minimum Cyber Security Standards to support agencies under the Government Chief Information Security Officer (GCISO) mandate. These standards focus on foundational practices, increase visibility into cybersecurity posture, and help drive continuous improvement. They also help understand, benchmark, and improve their practices while generating system insights through agency reporting.
The NCSC is coordinating closely with the Protective Security Requirements (PSR) team and has aligned its consultation and publication timeframes. Consultation on the Standards with GCISO-mandated agencies and industry partners commenced on June 16 and will continue until July 4. The standards take effect on Oct. 30 this year. The standards will take effect on October 30, 2025. By then, all mandated agencies must meet the baseline requirements and be ready to demonstrate compliance.
To support the consultation process, the Standards will be published on the NCSC website. Coordination is underway across the NCSC and the Government Communications Security Bureau (GCSB) to facilitate communication and engagement activities.
Consultation feedback will inform the evaluation of whether the Standards are set at an appropriate level. The final version is scheduled for publication in October. Mandated agencies will be expected to report on implementation as part of the PSR assurance reporting process in April 2026.
Positioned between the controls in the New Zealand Information Security Manual and the NCSC Cyber Security Framework, the standards set clear expectations for how mandated agencies manage cybersecurity. They include a capability maturity model outlining steps for uplift and areas requiring attention.
The minimum level has been set at CMM2 Planned & Tracked. The NCSC has attempted to make the requirements as objective as possible to enable agencies to make this assessment. The PSR assessment tool has a built-in analysis capability, which analyzes the inputted results and provides a consolidated view of an organization’s maturity based on the self-reported data.
The ten Minimum Cyber Security Standards have been developed to help organizations identify, plan for, and respond to security risks within their specific operational environments. They cover key areas such as security awareness, risk management, asset identification and prioritisation, secure software configuration, patching, multi-factor authentication, detection of unusual behaviour, application of least privilege principles, data recovery, and response planning.
Each standard provides sufficient detail to support implementation and strengthen the overall security maturity of the organization. They are designed to help agencies understand the purpose, rationale, and practical application of each requirement. A built-in maturity model enables consistent tracking and measurement of cybersecurity risks over time, supporting a more structured and transparent approach to continuous improvement.
The NCSC recognized that people represent both a critical asset and a potential vulnerability in the context of cybersecurity. This standard is intended to ensure that staff possess the necessary context, understanding, and awareness to carry out their daily responsibilities securely. By embedding cybersecurity awareness into the organizational culture, security becomes a core consideration, on par with financial, operational, health and safety, and technical priorities.
Organizations are expected to provide the appropriate training and guidance to support the secure use of approved systems and applications. This training must be maintained and updated regularly to ensure that security awareness remains current and relevant. For effective implementation, organizations may consider developing both onboarding and ongoing cybersecurity awareness training for personnel across all levels. Staff should receive structured guidance on the secure use of information systems, with regular reviews to align the content with the evolving organizational security posture.
Cybersecurity policies, such as acceptable use policies, should clearly define permissible and prohibited behaviours. Compliance with these policies must be routinely assessed and reported. Specialised roles within the organization may require role-specific training programmes tailored to their functions and risk exposure.
Implementation calls for a couple of prerequisites. Threats and risks must be identified and understood. A defined inventory of approved tools, along with associated policies, standards, and procedures, should be in place. Support from senior leadership is essential to ensure the successful rollout and ongoing endorsement of security awareness initiatives. Clear guidance must be available for staff who need advice on cybersecurity concerns.
The effectiveness can be measured through specific outcomes. Cybersecurity awareness training and guidance should be integrated across all stages of the employment lifecycle. Regular communication must reinforce expectations regarding secure behaviour and explicitly address prohibited activities.
Staff should demonstrate an understanding of both. Employees must also feel empowered to report security risks, anomalies, or suspected incidents. Reliable communication channels should exist to support the exchange of information between staff and management. The presence of structured awareness programmes, including online courses, modular training, education events, and compliance checkpoints, demonstrates an organizational commitment to maintaining a strong security culture.
Earlier this year, the NCSC revealed that the country faced increasingly sophisticated cybersecurity threats from criminal entities and foreign state actors. In its inaugural year as New Zealand’s primary operational cybersecurity agency, the GCSB reported a total of 7,122 cybersecurity incidents for the period ending June 30, 2024, highlighting growing challenges and complexities in safeguarding the nation’s digital infrastructure. It also identifies and analyzes some of the common, recurring techniques that malicious cyber actors have used in cyber incidents.
