SecurityPolicy.com.au
Home/ New Zealand/ Policy Library/ Information security policy for New Zealand businesses
New Zealand Policy Library Policy template Reviewed 2026-07-13

Information security policy for New Zealand businesses

13
numbered information privacy principles in the Privacy Act framework
10
current NCSC Critical Controls
5
functions in the NCSC Cyber Security Framework
53%
of surveyed NZ SMEs experienced a cyber threat in the preceding six months
Why this guide exists

Questions are ordered from what the master policy should contain, through scope, safeguards, access, suppliers and monitoring, to exceptions, governance and the gaps most likely to make an SME policy ineffective.

What is an information security policy, and what must it contain for a New Zealand business?

An information security policy is the organisation's master statement of how it will protect information, systems and services, who is accountable, which rules apply and how exceptions, incidents and reviews are handled. New Zealand law does not prescribe one universal document titled 'information security policy' for every private SME. The legal outcome is more important than the title: Privacy Act 2020 information privacy principle 5 requires reasonable security safeguards whenever an agency holds personal information. Own Your Online nevertheless says all businesses should have an online security policy and recommends separate internal and external versions. The internal version should cover information handling, storage, encryption, backups, critical systems, patching, approved applications, access, authentication, devices, acceptable use, physical protection, logging and incident response. The external version should explain, without exposing sensitive technical detail, how customer information is protected, retained and handled when something goes wrong. A complete policy should also identify scope, ownership, legal and contractual requirements, third-party responsibilities, monitoring rules, exception approval and review triggers.

How this differs by situation
  • all private businesses — Use a proportionate policy covering information, systems, people, suppliers, access, devices, incidents, exceptions and review.
  • businesses holding personal information — Connect policy rules directly to Privacy Act 2020 IPP 5 and the other applicable privacy principles.
  • internal policy — Contains detailed roles, systems, processes, control requirements and sensitive operational information.
  • external security statement — Provides customers with a truthful overview, contact pathway and incident commitments without revealing exploitable detail.
PUT THIS IN YOUR POLICY, EXACTLY

We protect information and systems in a manner proportionate to their sensitivity, business importance, foreseeable threats, legal requirements and potential harm. This policy applies to our people, information, systems, devices, premises, cloud services, suppliers and business processes. It defines mandatory safeguards, accountability, acceptable use, access, monitoring, incident response, exceptions and review requirements. Detailed internal security information is not published, but customers are provided with a clear external statement describing how their information is protected and how security concerns can be reported.

How should the policy define scope, roles and information classification?

Scope should identify the legal entities, workers, contractors, information, applications, cloud services, network devices, physical records, locations and suppliers covered by the policy. It should include remote work and personally owned devices where business information can be accessed. Assign a senior policy owner, a technical or security lead, system and information owners, managers responsible for staff compliance and the organisation's privacy officer. The Privacy Act requires organisations to have at least one person performing the privacy-officer role. Classification should be simple enough to use consistently. A practical private-SME model is Public, Internal, Confidential and Restricted, with handling rules for access, storage, transmission, printing, retention and disposal. These labels are a practical model, not a statutory New Zealand classification scheme. Classification should reflect sensitivity, personal-information content, contractual restrictions and the business or individual harm that could result from unauthorised access, alteration, loss or unavailability.

How this differs by situation
  • policy owner — A senior manager accountable for approval, resources, enforcement and risk decisions.
  • information and system owners — People accountable for classification, access, retention, resilience and accepted risk for defined assets.
  • privacy officer — Required Privacy Act role overseeing privacy compliance, complaints, requests and liaison with OPC.
  • classification model — Use a small number of clearly defined handling categories rather than a complex scheme staff will not follow.
PUT THIS IN YOUR POLICY, EXACTLY

This policy applies to all employees, directors, contractors, temporary workers and third parties who access our information or systems. It covers information in electronic, verbal and physical form; company and personal devices used for work; offices and remote locations; applications, networks and cloud services; and outsourced processing. Information owners classify information as Public, Internal, Confidential or Restricted and apply the handling rules defined for each category. The policy owner, privacy officer, system owners, managers and users have the responsibilities assigned in this policy.

What are acceptable safeguards under IPP 5, and how do we turn 'reasonable steps' into concrete rules?

IPP 5 is an outcome test rather than a fixed technology checklist. What is reasonable depends on the sensitivity and volume of information, foreseeable threats, system exposure, organisational capability, contractual commitments and the likely harm to people and the business. The policy should convert that assessment into measurable control rules. New Zealand's current NCSC Critical Controls provide a practical reference: patch software and systems; enforce MFA and verification; provide a password manager; centralise logging; build security awareness; manage assets through their lifecycle; implement and test backups; control application execution; enforce least privilege; and segment networks. Own Your Online adds practical rules for encryption, approved systems, secure remote access, physical protection and incident planning. Not every SME needs enterprise-scale tooling, but every safeguard should have a defined scope, owner, operating frequency, evidence and exception process.

How this differs by situation
  • preventive safeguards — MFA, password management, patching, least privilege, application control, encryption and segmentation.
  • detective safeguards — Useful logging, actionable alerts, access reviews and reporting pathways.
  • recovery safeguards — Separated backups, restoration testing, incident planning and continuity arrangements.
  • risk owner — Documents why the selected safeguards are reasonable and approves treatment of remaining risk.
PUT THIS IN YOUR POLICY, EXACTLY

Security safeguards are selected according to information sensitivity, foreseeable threats, system exposure, business dependency and potential harm. At a minimum, in-scope systems must use supported software, timely security updates, multi-factor authentication for privileged and externally accessible accounts, unique credentials managed through an approved password manager, least-privilege access, protected and tested backups, appropriate encryption, security logging and incident reporting. Each control has a named owner, defined scope, operating evidence and approved exception process.

What access and authentication rules should the policy contain?

Access should be granted for a defined business need, approved by an accountable owner and limited to the minimum privileges required. Privileged and ordinary activities should use separate accounts where practical. MFA should be enforced for administrators, email, remote access, cloud administration, finance systems and other externally accessible or sensitive services. The NCSC describes enforced MFA as its most critical control for preventing unauthorised access. The organisation should provide an approved password manager and require long, strong and unique passwords or passphrases. Shared accounts should be avoided; where technically unavoidable, ownership, access and credential changes must be controlled. Joiner, mover and leaver processes should grant, alter and revoke access promptly. Access rights should be reviewed at a frequency based on risk, with more frequent review for privileged and sensitive systems. Authentication recovery methods, API keys, service accounts and emergency accounts must receive the same attention as ordinary user logins.

How this differs by situation
  • ordinary access — Role-based, individually assigned and limited to what the person needs for current duties.
  • privileged access — Separate accounts, stronger authentication, additional logging, limited duration and regular review.
  • non-human identities — Inventory and protect service accounts, API keys, tokens, certificates and automation credentials.
  • access lifecycle — Approve, provision, review, modify and revoke access when roles or relationships change.
PUT THIS IN YOUR POLICY, EXACTLY

Access is individually assigned, approved by the relevant information or system owner and limited to the minimum required for current duties. Multi-factor authentication is mandatory for privileged accounts, email, remote access, cloud administration, finance systems and other externally accessible or sensitive services. Privileged and routine activity must use separate accounts where supported. We provide an approved password manager, prohibit password reuse and uncontrolled credential sharing, review access according to risk, and promptly revoke access when employment, duties or supplier relationships end.

How should the policy cover third parties, cloud services and overseas providers?

Outsourcing does not outsource accountability. IPP 5 requires an agency giving personal information to a service provider to do everything reasonably within its power to prevent unauthorised use or disclosure. In many ordinary cloud-processing arrangements, section 11 of the Privacy Act treats the customer as continuing to hold the information because the provider is storing or processing it as the customer's agent. The fact that cloud servers are overseas does not automatically make every arrangement an IPP 12 disclosure. IPP 12 becomes relevant when personal information is disclosed to a foreign person or entity rather than merely processed on the New Zealand agency's behalf. Where IPP 12 applies, the organisation needs a permitted basis, such as reasonable grounds for believing the recipient provides comparable safeguards, or informed authorisation in the circumstances allowed by the principle. Policy rules should require risk-based supplier due diligence, written security and privacy terms, subprocessor visibility, access controls, data-location information, incident notification, business continuity, audit evidence, return or deletion of information and an exit plan.

How this differs by situation
  • processor or custodian — The provider holds information on the business's behalf; the business normally remains responsible under section 11.
  • overseas recipient — IPP 12 may apply where information is disclosed for the recipient's use rather than merely processed as an agent.
  • supplier assurance — Assess control capability, incidents, subcontractors, continuity, deletion, access and contractual responsibility.
  • exit management — Ensure information can be securely returned, transferred or deleted when the service ends.
PUT THIS IN YOUR POLICY, EXACTLY

Third parties may access or process information only after proportionate security and privacy due diligence and written approval. Contracts must address permitted use, confidentiality, access control, security safeguards, subprocessors, data locations, incident notification, cooperation, continuity, audit evidence, retention, secure deletion and exit assistance. We remain accountable for personal information processed on our behalf. Before disclosing personal information outside New Zealand, the privacy officer must assess IPP 12 and document the lawful basis and comparable safeguards.

How should the policy balance security monitoring with New Zealand privacy and employment law?

Monitoring is not unrestricted simply because the organisation owns the device or account. Employers must comply with the Privacy Act and employment-law good-faith obligations. Monitoring should have a legitimate and necessary purpose, collect no more information than needed, be proportionate to the risk and avoid unfair or unreasonably intrusive collection. Staff should be told what systems and activities may be monitored, what information is collected, why it is collected, how it may be used, who can access it, how long it is retained and whether it can support investigations or disciplinary processes. Employment New Zealand recommends a workplace policy, compliance with the Privacy Act and Employment Relations Act, consultation with employees and unions where applicable, and making sure employees understand the policy and its purpose. Covert monitoring is generally unfair unless exceptional circumstances provide a strong justification; legal advice should be sought before using it.

How this differs by situation
  • security monitoring — Use logs and alerts needed to protect accounts, systems, information and business operations.
  • transparency — Tell workers what is monitored, why, how the information is used and how long it is kept.
  • proportionality — Limit collection, access, use and retention to what the legitimate security purpose requires.
  • employment process — Consult where appropriate and follow good faith and fair-process obligations before relying on monitoring evidence.
PUT THIS IN YOUR POLICY, EXACTLY

We monitor company systems, accounts, networks and devices only for documented and legitimate purposes such as security, service reliability, legal compliance and investigation of suspected misuse. Monitoring must be necessary, proportionate, lawful, fair and no more intrusive than reasonably required. Personnel are informed of the monitoring performed, the information collected, its purposes, authorised users, retention and possible employment uses. Covert or materially expanded monitoring requires privacy, employment-law and senior-management review before deployment, except where immediate lawful action is necessary to address a serious threat.

How should policy exceptions and risk acceptance work?

Exceptions should be deliberate, documented and temporary rather than informal workarounds. The person requesting an exception should identify the affected rule, business reason, systems and information involved, duration, threat exposure and proposed compensating controls. An accountable risk owner should decide whether the residual risk is acceptable, with escalation for high-risk, privacy-sensitive or contractually restricted situations. Every approved exception should have an owner, expiry date, review date and remediation plan. An internal approval cannot waive the Privacy Act, employment obligations, sector rules or contractual commitments. If a required safeguard cannot be implemented, the organisation still needs to determine and document what alternative measures are reasonable in the circumstances. Expired exceptions should automatically cease or be reassessed rather than silently becoming permanent practice.

How this differs by situation
  • routine exception — Time-limited operational deviation with low residual risk and documented compensating controls.
  • material exception — Deviation involving sensitive information, privileged access, critical services, legal duties or significant customer risk.
  • risk owner — Accepts or rejects residual business risk and confirms that the decision sits within delegated authority.
  • privacy or legal reviewer — Confirms that an exception does not purport to waive binding legal or contractual obligations.
PUT THIS IN YOUR POLICY, EXACTLY

No person may create an informal exception to this policy. An exception request must identify the requirement, scope, business reason, risk, duration, compensating controls, remediation plan and accountable owner. Approval must be given by the authorised risk owner and, where personal information, employment monitoring, regulation or contract is affected, by the privacy or legal reviewer. Every exception has an expiry date and is reviewed before expiry. No exception authorises conduct that breaches law or a binding contract.

Who should approve and own the policy, and how often should it be reviewed?

A senior leader should own the policy because information security requires business authority, funding and cross-functional enforcement. The privacy officer should review privacy-related provisions, while technical owners confirm that control rules are realistic and verifiable. Managers are responsible for applying the policy to their teams, and workers and suppliers should acknowledge the rules relevant to them. Own Your Online warns against creating a policy and then never looking at it again; the policy should be embedded into everyday work, company culture, staff management and customer treatment. A practical review cadence for an SME is at least annually and additionally after a material incident, major system or supplier change, new service, legal or contractual change, audit finding or substantial organisational restructure. The annual cadence is good practice rather than a universal statutory deadline. Approval, review date, version, owner, next review and change history should be visible on the controlled document.

How this differs by situation
  • senior policy owner — Approves the policy, resources implementation and accepts material residual risk.
  • privacy and technical reviewers — Confirm legal alignment, operational feasibility and evidence requirements.
  • scheduled review — Review at least annually as a practical baseline.
  • event-driven review — Review after incidents, major changes, new risks, legal developments or assurance findings.
PUT THIS IN YOUR POLICY, EXACTLY

The Chief Executive or delegated senior leader owns and approves this policy. The privacy officer reviews privacy requirements, and technical and information owners confirm that assigned controls are implemented and evidenced. The policy is reviewed at least annually and following a material incident, significant technology or supplier change, new service, legal or contractual change, audit finding or organisational restructure. The controlled copy records its owner, approver, version, approval date, next review date and change history.

What are the common gaps in New Zealand SME information security policies?

Common gaps include copying a generic policy that does not match the actual business; treating a public privacy statement as the complete internal security policy; failing to identify information, critical systems, suppliers and personally owned devices; writing controls without owners, timeframes or evidence; allowing shared or reused credentials; omitting privileged access, service accounts and recovery methods; assuming the cloud provider owns all privacy and security risk; failing to distinguish outsourced processing under section 11 from an overseas disclosure under IPP 12; monitoring staff without clear notice, consultation or limits; allowing undocumented exceptions; keeping unsupported systems; relying on backups that have never been restored; omitting incident, customer-notification and vulnerability-reporting pathways; and failing to review the policy after change. Another mistake is importing Australia's Essential Eight, Australian ISM or SMB1001 and presenting them as New Zealand requirements. NCSC guidance, Own Your Online, IPP 5 and, where appropriate, NZISM are the relevant New Zealand reference points.

How this differs by situation
  • paper-only policy — The document contains aspirations but no owners, systems, operating rules, metrics or evidence.
  • incomplete scope — Cloud services, suppliers, remote work, BYOD, physical records and non-human accounts are omitted.
  • privacy and employment gaps — Third-party responsibility, overseas disclosures and employee monitoring are not addressed accurately.
  • stale policy — The document is not embedded, tested or updated after incidents and business change.
PUT THIS IN YOUR POLICY, EXACTLY

The policy must reflect our actual information, systems, cloud services, devices, suppliers, work practices and legal obligations. Every mandatory rule has an owner and evidence of operation. Shared credentials, unsupported systems, untested backups, undisclosed monitoring, unassessed suppliers and undocumented exceptions are not accepted as normal practice. Australian frameworks are not described as New Zealand legal requirements, and NZISM applies only where adopted or made binding through government, contractual or regulated requirements.

What's my next step?

Common misconceptions

  • Every New Zealand business is expressly required by statute to hold a document titled 'information security policy'. The law instead sets outcomes such as IPP 5 reasonable safeguards, while documented policies are strong evidence and good practice. INFERRED
  • A public privacy statement is the same as an internal information security policy. Own Your Online distinguishes a detailed internal policy from a lighter external statement. VERIFIED
  • IPP 5 prescribes one fixed technical checklist for every organisation. It requires safeguards that are reasonable in the circumstances. VERIFIED
  • Moving personal information to a cloud provider transfers privacy accountability to the provider. Under section 11, the customer normally remains responsible where the provider processes information as its agent. VERIFIED
  • Every use of an overseas-hosted cloud service is automatically an IPP 12 disclosure. OPC distinguishes agent-based processing under section 11 from disclosure to an overseas recipient. VERIFIED
  • An employer may monitor anything on a work device without notice or justification. Monitoring must comply with privacy and employment obligations and should be necessary, transparent, fair and proportionate. VERIFIED
  • NZISM automatically applies in full to every private New Zealand SME. It is government-focused, although private organisations are encouraged to use it and contracts may incorporate selected controls. VERIFIED
  • The NCSC Cyber Security Framework replaces risk management. NCSC says a framework complements rather than replaces the organisation's risk-management process and security programme. VERIFIED
  • A policy is complete once management signs it. Own Your Online says it must be embedded into everyday work, staff management, culture and customer treatment. VERIFIED
  • MFA alone satisfies the security baseline. NCSC's current priority set also includes patching, password management, logging, awareness, asset lifecycle, backups, application control, least privilege and segmentation. VERIFIED
  • An approved internal exception can waive Privacy Act or contractual duties. Internal risk acceptance does not remove externally binding obligations. INFERRED
  • Australia's Essential Eight, Australian ISM and SMB1001 are New Zealand government frameworks. They should not be presented as New Zealand legal or official baseline requirements. INFERRED

Obligations at a glance

The obligations most relevant to this guide, with the regulator, the trigger and the timeframe. Follow the source links in the appendix for the authoritative wording.

OBLIGATION REGULATOR TRIGGER TIMEFRAME PENALTY
Privacy Act 2020 IPP 5 reasonable security safeguards Office of the Privacy Commissioner The organisation holds personal information. Ongoing while the information is held and whenever systems, risks, uses, suppliers or handling arrangements change.
IPP 5 safeguards for personal information handled by a service provider Office of the Privacy Commissioner Personal information is given to another person in connection with providing a service to the organisation. Before and throughout the service relationship, using everything reasonably within the organisation's power to prevent unauthorised use or disclosure.
Privacy officer appointment Office of the Privacy Commissioner The entity is an organisation or agency subject to the Privacy Act. Maintain at least one person fulfilling the privacy-officer role on an ongoing basis.
Responsibility for outsourced processing under Privacy Act section 11 Office of the Privacy Commissioner A provider holds personal information as an agent for the organisation for safe custody or processing. Ongoing throughout the outsourced processing arrangement.
Privacy Act 2020 IPP 12 overseas disclosure safeguards Office of the Privacy Commissioner The organisation discloses personal information to a foreign person or entity in circumstances covered by IPP 12. Assess and document an authorised IPP 12 basis before making the disclosure and maintain the required safeguards while it continues.
Employee monitoring privacy requirements Office of the Privacy Commissioner The employer collects personal information through monitoring, recording, filming, email review, device monitoring or similar tools. Before collection and throughout use, retention and disclosure of the monitoring information.
Employment relationship good-faith duty Employment Relations Authority and Employment Court The organisation and worker are parties to an employment relationship, including when implementing or relying on workplace monitoring and policies. Ongoing throughout the employment relationship and relevant consultation or employment process. Remedies or penalties may apply depending on the nature of the breach and proceeding.
Notifiable privacy breach Office of the Privacy Commissioner A privacy breach has caused or is likely to cause serious harm. Notify the Commissioner and affected people as soon as practicable; OPC says it should ideally be notified within 72 hours after awareness. Failure without reasonable excuse to notify the Commissioner is an offence punishable by a fine up to NZD 10,000.
NZISM or customer security-policy requirement incorporated by contract or government mandate Relevant government agency, customer or contracting authority A government mandate, procurement condition, information classification, tender or contract makes specified controls or policy requirements binding. As stated in the applicable mandate, procurement document, contract or system-authorisation process. Contractual or government-assurance consequences may apply, depending on the instrument.

Sources

  1. Create an online security policy for your business primary
  2. Choosing an IT service provider primary
  3. NCSC Critical Controls: Summary primary
  4. NCSC Cyber Security Framework primary
  5. NCSC Protect your organisation primary
  6. New Zealand Information Security Manual primary
  7. More than half of New Zealand businesses experiencing cyber threats primary
  8. Privacy Act 2020 information privacy principles primary
  9. Privacy Act 2020 Principle 5 — Storage and security of information primary
  10. Privacy Act 2020 Principle 12 — Disclosure outside New Zealand primary
  11. Sending information overseas primary
  12. Information for privacy officers primary
  13. Can I monitor employee use of work computers and accounts? primary
  14. Can I record my employees? primary
  15. What information is my employer entitled to collect while I am working? primary
  16. NotifyUs of a serious privacy breach primary
  17. Privacy Act 2020 primary
  18. Employment New Zealand — Employee privacy primary
  19. Employment New Zealand — Working from home primary
  20. Employment Relations Act 2000 primary
  21. Geekzone discussion of business-email compromise and reasonable security forum
  22. r/newzealand discussion of personal devices, workplace applications and client information forum
  23. r/newzealand discussion of workplace email monitoring forum
Not legal advice

This guide and its templates are a professionally drafted starting point, not legal advice. Your obligations depend on your industry, your contracts and your data. Have a qualified adviser review anything high stakes before you rely on it.