This is a report of changes between nzism-data/NZISM-ISM Document-V.-3.8-September-2024.xml and nzism-data/NZISM-ISM Document-V.-3.9-April-2025.xml.

Controls Added

CID Title Classifications Compliances Text
7536 7.2.20.C.03. All Classifications Should

Agencies SHOULD formally share post-incident review reports by emailing them to incidents@ncsc.govt.nz.
7537 11.8.13.C.01. Top Secret, Secret, Confidential Should

Use of MFDs for printing, scanning, and copying purposes SHOULD be centrally logged.
7541 16.1.25.C.01. All Classifications Should

Agencies SHOULD design and implement Zero Trust principles and architecture to strengthen identification management.
7542 16.1.27.C.02. All Classifications Must Not

Agencies MUST NOT use shared credentials to access administrator or privileged access accounts.

NB: Break Glass accounts are exempt from this control. For further guidance on Break Glass accounts see Emergency accounts (Break Glass accounts section).
7543 16.1.30.C.01. All Classifications Should

Agencies SHOULD assess and determine the risk of centralised access management systems, including SSO, to safely manage integration into systems and when using FIM.
7544 16.1.31.C.01. All Classifications Must

Agencies MUST ensure adequate password policies are implemented and enforced across all systems.
7545 16.1.31.C.02. All Classifications Must

Agencies MUST implement a password policy enforcing at least annual password changes on systems that have not implemented MFA or passwordless authentication.
7546 16.1.31.C.03. All Classifications Must

Agencies MUST implement a password policy enforcing:

  • A minimum password length of 16 characters (e.g four words).
  • Passwords must be long, strong and unique. This means passwords must be a minimum character length, and are a combination of unique random words, characters or numbers.

NB: no explicit complexity requirements are enforced (e.g. numbers or special characters), however passwords must be unique, or random and may include special characters and numbers to achieve this.
7547 16.1.31.C.04. All Classifications Must

To ensure security of systems are not weakened through authentication mechanisms, at a minimum, agencies MUST:

  • apply MFA appropriately (refer to controls in Section 16.7);
  • ensure authentication secrets (including passwords) are securely stored;
  • remove knowledge-based questions from authentication process (eg, dog’s name, first school etc.);
  • new passwords are screened to reduce the likelihood of previously compromised passwords;
  • remove hints from authentication process; and
  • change passwords when a suspected or known compromise of an account has occurred.
7548 16.1.31.C.06. All Classifications Should

Agencies SHOULD consider the use of location-based factors in the authentication process, (e.g., Users must be at an expected location (city, country, IP address) and provide the correct credentials for the authentication to succeed).
7549 16.1.31.C.07. All Classifications Should

When creating password policies, agencies SHOULD consider implementing annual password changes.
7562 16.1.34.C.02. All Classifications Must

Passwords and other authentication secrets MUST be stored securely including being:

  • salted (32 bits or more),
    • salts should be unique to each password and should be randomly generated.
  • hashed (HMAC using SHA-2/3), and
  • “stretched” (such as PBKDF2 with at least:
    • 600k iterations with internal hash function of HMAC-SHA-256; or
    • 210k iterations with internal hash function of HMAC-SHA-512).
7551 16.1.36.C.02. All Classifications Must

Where passwords are not set by the account holder, agencies MUST use temporary passwords when resetting system user accounts.
7552 16.1.36.C.03. All Classifications Should Not

Agencies SHOULD NOT use single factor authentication when changing users’ Multi-Factor Authentication details.
7558 16.1.37.C.01. All Classifications Must

Password managers provide no additional security to the sign-in password. Agencies using password managers MUST ensure sign-in passwords adhere to the password security policies used by the organisation.
7559 16.1.37.C.02. All Classifications Should

Agencies using password managers SHOULD consider the use of MFA to access the password manager.
7556 16.1.38.C.01. All Classifications Should

When moving to passwordless authentication, agencies SHOULD carry out a risk assessment and evaluate passwordless authentication models to choose authentication mechanisms and factors that best fit the organisation’s security and authentication requirements.
7554 16.1.39.C.01. All Classifications Must

Agencies MUST ensure authentication methods that are susceptible to replay attacks are disabled.
7550 16.4.37.C.03. All Classifications Should

Agencies SHOULD consider the use of time bound revocation to privileged accounts.
7553 16.4.39.C.02. All Classifications Must

Agencies MUST investigate any indication of compromise or misuse of systems credentials or accounts.
7555 16.5.12.C.02. All Classifications Should

Agencies SHOULD use Zero Trust principles alongside the use of VPN connections to enhance the security posture of the organisation. This should include removing the ability for a standard user to disable the VPN connection.
7557 16.6.13.C.05. All Classifications Should

Agencies should prioritise their log retention requirements based on the risks surrounding their most sensitive systems.
7560 16.6.15.C.01. All Classifications Should

Agencies SHOULD have a monitoring solution implemented that enables detection of incidents as they occur so that appropriate responses can be taken in adequate timeframes.
7561 16.6.15.C.02. All Classifications Should

Agencies SHOULD have systems available for processing system event logs to identify and correlate events which indicate behavioural anomalies or potential security compromise in the systems, in a near real-time manner.
7563 16.7.42.C.01. All Classifications Should

Where an agency has external facing systems, cloud-based services, or is authenticating to third-party services services, they MUST:

  • require MFA for all user accounts; and
  • implement a secure, multi-factor process to allow entities to reset their standard user credentials.
7564 16.7.42.C.03. All Classifications Must

Agencies MUST implement MFA on all user accounts with remote access to organisational resources.
7565 16.7.42.C.04. All Classifications Should

Agencies SHOULD implement MFA on all user accounts with access to organisational resources.

7566 16.7.42.C.05. All Classifications Should

Where agencies have implemented MFA, they SHOULD implement phishing-resistant MFA on administration accounts.

7567 16.7.42.C.06. All Classifications Should

Agencies SHOULD use phishing-resistant MFA when authenticating users to systems.
7538 18.2.9.C.01. Secret, Confidential, Top Secret Must

EAP-TLS or PEAP-EAP-TLS MUST be used on wireless networks to perform mutual authentication.
7539 18.2.19.C.01. All Classifications Must Not

Agencies MUST NOT use Wi-Fi Protected Access (WPA) for wireless deployments.
7540 18.2.19.C.03. All Classifications Should

Agencies SHOULD use Wi-Fi Protected Access 3 (WPA3) for wireless deployments with preference given to WPA3-Enterprise 192-bit mode.

Controls Removed

CID Title Classifications Compliances Text
1223 7.2.21.C.01. All Classifications Should

Agencies SHOULD formally report information security incidents using the NCSC on-line reporting form.
3052 11.6.72.C.01. All Classifications Must Not

Any RFID tags of class 3, 4, or 5 MUST NOT be permitted in secure spaces.
3054 11.6.72.C.02. All Classifications Must Not

RFID readers MUST NOT be permitted in secure spaces.
3055 11.6.72.C.03. All Classifications Should Not

Class 2 RFID tags SHOULD NOT be permitted in secure spaces.
1857 16.1.40.C.01. Secret, Top Secret, Confidential Must

Agencies MUST implement a password policy enforcing:

  • a minimum password length of ten characters, consisting of at least three of the following character sets:
    • lowercase characters (a-z);
    • uppercase characters (A-Z);
    • digits (0-9); and
    • punctuation and special characters.
1858 16.1.40.C.02. All Classifications Should

Agencies SHOULD implement a password policy enforcing either:

  • a minimum password length of 16 characters with no complexity requirement; or
  • a minimum password length of ten characters, consisting of at least three of the following character sets:
    • lowercase characters (a-z);
    • uppercase characters (A-Z);
    • digits (0-9); and
    • punctuation and special characters.
1868 16.1.41.C.01. Confidential, Top Secret, Secret Must

Agencies MUST:

  • ensure that passwords are changed at least every 90 days;
  • prevent system users from changing their password more than once a day;
  • check passwords for compliance with their password selection policy where the system cannot be configured to enforce complexity requirements; and
  • force the system user to change an expired password on initial logon or if reset.
1870 16.1.41.C.03. All Classifications Should

Agencies SHOULD:

  • ensure that passwords are changed at least every 90 days;
  • prevent system users from changing their password more than once a day;
  • check passwords for compliance with their password selection policy where the system cannot be configured to enforce complexity requirements; and
  • force the system user to change an expired password on initial logon or if the password is reset.
1871 16.1.41.C.04. All Classifications Should Not

Agencies SHOULD NOT:

  • allow predictable reset passwords;
  • reuse passwords when resetting multiple accounts;
  • store passwords in the clear on the system;
  • allow passwords to be reused within eight password changes; and
  • allow system users to use sequential passwords.
1893 16.1.46.C.02. All Classifications Should

Agencies SHOULD:

  • lock system user accounts after three failed logon attempts;
  • have a system administrator reset locked accounts;
  • remove or suspend system user accounts as soon as possible when personnel no longer need access due to changing roles or leaving the agency; and
  • remove or suspend inactive accounts after a specified number of days.
1904 16.1.49.C.01. All Classifications Should

Agencies SHOULD configure systems to display the date and time of the system user’s previous login during the login process.
1909 16.1.50.C.01. All Classifications Should Not

Agencies SHOULD NOT permit the display of last logged on username, credentials or other identifying details.
1910 16.1.50.C.02. All Classifications Should Not

Agencies SHOULD NOT permit the caching of credentials unless specifically required.
1946 16.3.5.C.02. All Classifications Should

Agencies SHOULD:

  • ensure strong change management practices are implemented;
  • ensure that the use of privileged accounts is controlled and accountable;
  • ensure that system administrators are assigned an individual account for the performance of their administration tasks;
  • keep privileged accounts to a minimum; and
  • allow the use of privileged accounts for administrative work only.

Controls Changed

CID Title Classifications Compliances Text
1154 7.1.7.C.02. All Classifications Should Agencies SHOULD develop, implement and maintain tools and procedures covering the detection of potential information security incidents, incorporating:user awareness and training;counter-measures against malicious code, known attack methods and types;intrusion detection strategies;dynamic network defence (i.e. protective DNS and/or NGFW)data egress monitoring & control;access control anomalies;audit analysis;system integrity checking; andvulnerability assessments.
1216 7.2.20.C.01. All Classifications Must The Agency ITSM, MUST report information security incidents categorised as:Critical;Serious; orincidents related to multi-agency or government systems;to the NCSC (see also as soon as possibelole.A Report Form is provided on the NCSC w) as soon as possieble.site under Reporting an Incident atReport an incident and request support | National Cyber Security Centre
1220 7.2.20.C.02. All Classifications Should Agencies SHOULD report information security incidents categorised asLowto the NCSC.AReport Form is provided on the NCSC website under Reporting an Incident atReport an incident and request support | National Cyber Security Centre
1271 7.3.7.C.01. All Classifications Must Agencies MUST implement procedures and processes to detect data spills or data breach.
1274 7.3.7.C.03. All Classifications Must Agency SOPs MUST include procedure for:all personnel with access to systems;notification to the ITSM of any data spillage or breaches;  andnotification to the ITSM of access to any data which they are not authorised to access.
1275 7.3.7.C.04. All Classifications Must Agencies MUST document procedures for dealing with data spills or data breaches in their IRP.
1276 7.3.7.C.05. All Classifications Must Agencies MUST treat any data spill or data breach as an information security incident and follow the IRP to deal with it.
1277 7.3.7.C.06. All Classifications Must When a data spill or data breach occurs agencies MUST report the details of the data spill to the Privacy Commissioner and information owner in accordance with thePrivacy Act 2020.
1285 7.3.8.C.03. All Classifications Should When a data spill involving classified information or contamination or data breach involving classified or sensitive information or contaminationof classified systems occurs and systems cannot be segregated, or isolated agencies SHOULD immediately contact theNCSCfor further advice.
1290 7.3.9.C.01. All Classifications Should Agencies SHOULD follow the steps described below when malicious code is detected:isolate the infected system;decide whether to request assistance fromNCSC;if such assistance is requested and agreed to, delay any further action until advised byNCSC;scan allcheck connected systems and media including backups for malicious code;isolate all infected systems and media to previously connected systems and any media used within a set period leadient reinfection;chang up to the information security incidente all passwords and key material stored or potentially accessed from compromised systems, for malicious codeincluding any websites with password controlled access;isolate all infected systems and media to preadvent reinfectionise system users of any relevant aspects of the compromise, including a recommendation to change all passwords on compromised systems;change all passwords and revokey material stored or potentially accessed from compromised systems, including any websites with password controlled access all session tokens associated with user and/or device;aduse up-to-date anti-malware software to removise system users of any relee the malware from the systems or media;monitor network traffic for malicious activant aspects of the compromise, including a recommendation to change all passwords on compromised systemsity;use up-to-date anti-malware software to remove the malware from the systems or media;monitor network traffic for malicious activity;record and report the information security incident and perform any other activities specified in the IRP; andin the worst case scenario,certain scenarios rebuild and reinitialise the systeming and reinitialising the system and/or user profile may be required.
1294 7.3.10.C.01. All Classifications Must Agencies considering allowing an attacker to continue some actions under controlled conditions for the purpose of seeking further information or evidence MUSHOULD Tseek legal advice.
1403 8.4.10.C.01. All Classifications Must Agencies MUST ensure that when secure areas are non-operational or when work areas are unoccupied IT equipment with media is secured in accordance with the minimum physical security requirements for storing classified information as specified in thePSR Management protocol for physical securitywith supporting documentPhysical Security fortorage requirements for electronic information in ICT, with supporting document –Storage requirements for electronic information in ICT facilities.
1829 16.1.26.C.01. All Classifications Must Agencies MUST ensure that all system users are:uniquely identifiable; andauthorisedand authenticated on each occasion that access is granted to a system.
1837 16.1.28.C.01. All Classifications Must If agencies choose to allow shared, non user-specific accounts they MUST ensure that an independent means of determining the identification of the system user is implemented and logged.
1841 16.1.29.C.02. All Classifications Should Agencies SHOULD ensure that they combine the use of multiple-factor meauthenticatiodsn (MFA) when identifying and authenticating system users.
1869 16.1.31.C.05. All Classifications Must Not Agencies MUST NOT:allow predictable reset passwords;store passwords in the clear on the system; andreuse passwords when resetting multiple accounts;store passwords in the clear on the system;allow passwords to be reused within eight password changes; andallow system users to use sequential passwords.
1847 16.1.33.C.01. All Classifications Must Agencies MUST ensure that system authentication data is protected when in transit on orgagencyisation networks or All-of-Government systems.
6553 16.1.34.C.01. All Classifications Must Password and other authentication dasecretas MUSHOULDT be hashed before storage using an approved cryptographic protocol and algorithm.See Chapter 17 – Cryptography.
1875 16.1.36.C.01. All Classifications Must Agencies MUST ensure system users provide sufficient evidence to proverif they their iare the owner of the account when requesting a passwordentit reset for their sy when requesting a password reset for their system accountstem account or making changes to their multi-factor authenticators.
1878 16.1.39.C.02. All Classifications Must Agencies MUSHOULDT disable LAN Manager for password authentication on workstations and servers.
1881 16.1.40.C.01. All Classifications Should Agencies SHOULD develop and implement a policy to automatically logout and shutdown workstations after an appropriate time of inactivity. This includes invalidating any session tokens.
1885 16.1.41.C.01. Confidential, Top Secret, Secret Must Agencies MUST:configure systems with a session or screecreen and session lock;configure the lock to activate:after a maximum of 10 minutes of system user inactivity; orif manually activated by the system user;configure the lock to completely conceal all information on the screen;ensure that the screen is not turned off or enters a power saving state before the screen or session lock is activated;have the system user reauthenticate to unlock the system; anddeny systemuser reauthenticate to unlock the system; and deny users the ability to disable the locking mechanism.
1886 16.1.41.C.02. All Classifications Should Agencies SHOULD:configure systems with a session or screen lock;configure the lock to activate:after a maximum of 150 minutes of system user inactivity; orif manually activated by the system user;configure the lock to completely conceal all information on the screen;ensure that the screen is not turned off or enters a power saving state before the screen or session lock is activated;have the system user reauthenticate to unlock the system; anddeny system users the ability to disable the locking mechanism.
1892 16.1.42.C.01. All Classifications Must Agencies MUST:Record all successful and failed logon attempts;lock system user accounts after three failed logon attempts;use a temporary lock out feature to unlock system (max [] times);have a system administrator reset locked accounts if [] times is superseded;remove or suspend system user accounts as soon as possible when personnel no longer need access due to changing roles or leaving the agencyorganisation; andremove or suspend inactive accounts after a specified number of days.NB: Agencies can determine the risk of using a temporary lock out feature on their specific systems.[] indicates the chosen 'value of times' an agency has decided to use for the temporary lock out feature.
1930 16.2.4.C.01. All Classifications Must Agencies MUSHOULD Tfollow the process adefinedprocess for developing an access control list, such asdescribedin the table below for developing an access control list.StageDescription1Establish groups of all system resources based on similar securityobjectives.2Determinethe information owner for each group of resources.3Obtain agreement from system owners.4Establish groups encompassing all system users based on similar functions or security objectives.5Determine the group owner or manager for each group of system users.6Determine the degree of access to the resource for each system user group, incorporating the principal of least-privilege access.7Decide on the level of access for security administration, based on the internal security policy.8Identify any classification, protective markings and releasability indicators, and releasability indicators (such as NZEO or compartmented information).
1945 16.3.5.C.01. All Classifications Must Agencies MUST:ensure strong change management practices are implemented;ensure that the use of privileged accounts is controlled and accountable;ensure that system administrators are assigned, and consistently use, an individual account for the performance of their administration tasks;keep privileged accounts to a minimum; andallow the use of privileged accounts for administrative work only.
1953 16.3.7.C.01. All Classifications Should Agenciesinvolved in frequent transfers of data from another system to their system with a lesser classificationSHOULD clear at ensure atleast one privileged user to has a security clearance levelcommensuratethe classification of the higher system.
6837 16.4.36.C.03. All Classifications Must AgenciesMUST manage Pprivileged Aaccounts in accordance with the Aagency’s PAM Ppolicy.
6843 16.4.37.C.02. All Classifications Must AgenciesMUSHOULDT use two-factor or Multi-Factor Authentication to allow access to Pprivileged Aaccounts.
2001 16.6.7.C.01. All Classifications Should A system management log SHOULD record the following minimum information:allsystem start-up andshutdown;all systemchanges;userchanges;service, application, component or system failures;maintenance componentor systemfailures;maintenanceactivities;backup and archivalactivities;system recovery activities; andspecial or out of hours activities.
2009 16.6.9.C.01. Top Secret, Secret, Confidential Must AgenciesMUSTlog, at minimum, the following events for all software components:logons;failed logon attempts;logoffs;date and time;all privileged operations;failed attempts to elevate privileges;security related system alerts and failurany login activity orattempts;date andtime;all privilegedoperations;failed attempts to elevateprivileges;security related system alerts andfailures;software upgrades and/or softwarepatching;system recoveryactivities;system user and group additions, deletions deletionsand modification to permissions; andunauthorised or failed access attempts to systems and files identified as critical to the agencyorganisation.
2013 16.6.10.C.02. All Classifications Should AgenciesSHOULDlog, at minimum, the following events for all software components:user login;all prAny login activileged operations;failed attempts to elety orattempts;all private priilegedoperations;failed attempts to elevileges;security related system alerts and failuresateprivileges;security related system alerts andfailures;all softwareupdates and/or patching;system user and group additions, deletions deletionsand modification to permissions; andunauthorised or failed or failedaccess attempts to systems and files identified as critical to the agencyorganisation.
2022 16.6.12.C.01. All Classifications Must Event logsMUSTbe protected from:modification and ;unauthorised access;andwhole or partial loss within the defined retention period.
2031 16.6.13.C.04. All Classifications Should AgenciesSHOULDretainDNS,proxyand event logs for atminimum least of18 2months.
6953 16.7.42.C.02. All Classifications Should Where an agency has implemented MFA they MUSHOULDT:Rrequire MFA for administrative or other high privileged users; andIimplement a secure, multi-factor process to allow users to reset their normal usageentities to reset their standard user credentials.
6952 16.7.42.C.07. All Classifications Should The design of an agency’s MFA SHOULD include consideration of:Risk Iidentification;Level of security and access control appropriate for each aspect of an agencyorganisation’s information systems (data, devices, equipment, storage, cloud, etc.)A formal authorisation process for user system access and entitlements;Logging,  monitoring and reporting of activity;Review of logs for orphaned accounts and inappropriate user access including unsuccessful authentication;Identification of error and anomalies which may indicate inappropriate or malicious activity;Incident response;Remediation of errors;Suspension and/or revocation of access rights where policy violations occur;Capacity planning.
6956 16.7.43.C.01. All Classifications Should The design of an agency’organisations MFA system SHOULD be integrated with the agency’s Information Security Policy and, the agency’s Privileged Access Management (PAM) Policy, and any additional agency password policies.
6960 16.7.44.C.01. All Classifications Must When agencies implement MFA they MUST ensure users have an understanding of the risks, and include appropriate usage and safeguards for MFA in the agencyorganisation’s user training and awareness programmes.
3319 18.2.9.C.02. All Classifications Must WPA2-Enterprise with EAP-TLS, WPA2-Enterprise with PEAP-EAP-TLS, WPA2-Enterprise with EAP-TTLS or WPA2-Enterprise with PEAP MUST be used on wireless networks to perform mutual authentication.
3386 18.2.19.C.02. All Classifications Should Not Agencies SHOULD NOT use Wi-Fi Protected Access 2 (WPA2) for wireless deployments.