NZISM: who it's actually for, honestly.
NZISM comes up in a lot of searches about New Zealand cyber security, but it was written for government agencies, not for most mid-size organisations, startups or small businesses. If you've landed here wondering whether it applies to you, the short answer for most businesses is no.
What NZISM is
The New Zealand Information Security Manual, published by the National Cyber Security Centre, is the government's information security standard. It sets detailed technical and procedural controls for public sector agencies and the systems that handle government information. It is thorough, and it is genuinely useful if you're the audience it was written for.
Who it actually applies to
In practice, NZISM is directly relevant to government agencies, and to private businesses that supply government agencies under contracts that specifically reference it, or that handle classified or highly sensitive information. If none of that describes your organisation, treating NZISM as your target framework usually means adopting a lot of public-sector-specific process that doesn't map cleanly onto a smaller commercial operation.
What most businesses should use instead
For the large majority of mid-size New Zealand organisations, startups and small businesses, the Privacy Act 2020 sets the legal baseline, and NIST CSF 2.0 gives a practical, flexible structure for everything else. Both are covered in depth on their own pages. NZISM is worth knowing about, and worth checking against specifically if you supply government, but it shouldn't be the first framework most businesses reach for.
How this fits into an audit
We check NZISM alignment when it's genuinely relevant, typically for businesses supplying government or handling sensitive data under a contract that specifies it. For everyone else, our audits default to the Privacy Act 2020 and NIST CSF 2.0, which reflect what actually matters for a commercial business of your size.
NZISM FAQs
Does NZISM apply to my business?+
For most mid-size organisations, startups and small businesses, no, not directly. NZISM was written for New Zealand government agencies. It becomes relevant to a private business mainly if you supply government agencies, hold classified or highly sensitive information, or operate in a regulated sector that references it specifically.
If NZISM doesn't apply to us, what should we use instead?+
Most mid-size organisations and small businesses get more practical value from NIST CSF 2.0 or from aligning to the Privacy Act 2020's requirements, both of which are written for a much broader range of organisations. We can tell you honestly which framework actually fits your situation rather than defaulting to the best-known name.
We supply a government agency. Do we need to be NZISM compliant?+
It depends on the contract and the classification of the information involved. Some government procurement requires suppliers to demonstrate alignment with relevant NZISM controls, others do not. Check your specific contract or tender requirements, or ask us to review them as part of a scoping call.
Can an audit check us against NZISM anyway?+
Yes, where it is genuinely relevant. If you supply government or handle information at a sensitivity level where NZISM controls apply, we map findings against the specific controls relevant to your sector rather than the full manual, which is written primarily for public sector IT environments.
Not sure which framework actually applies to you?
Tell us about your organisation and we'll point you at the right one, honestly.
Book an Audit