SecurityPolicy.com.au
Home/ New Zealand/ Policy Fundamentals/ How to adopt, train and review security policies
New Zealand Policy Fundamentals Fundamentals Reviewed 2026-07-13

How to adopt, train and review security policies

10
current NCSC Critical Controls, including building security awareness
5
continuous functions in the NCSC Cyber Security Framework
5–10 min
time indicated for the Own Your Online business assessment
1–2 pages
NCSC's suggested length for a simple, understandable security policy
Why this guide exists

Questions are ordered through the full policy lifecycle: adoption and consultation, communication and acknowledgement, role-based training, operational embedding, effectiveness measurement, scheduled and event-driven review, continuous improvement and the maintenance gaps most likely to leave an SME relying on stale paper controls.

What does 'adopt, train and review' mean, and why do policies fail without it?

Adoption means more than approving a document. The organisation must decide that the policy applies, assign ownership, communicate its requirements, provide the systems and tools needed to comply and integrate the rules into business processes. Training gives each affected person the knowledge and practice needed to follow the policy and report problems. Review checks whether the policy remains accurate, lawful, proportionate and effective as the organisation, technology and threat environment change. Own Your Online expressly warns against creating a policy and never looking at it again, and says policies should be embedded into day-to-day work, company culture, staff management and customer treatment. NCSC treats security awareness as a long-term commitment and says effective programmes should not be limited to a one-off induction or annual video. A policy that is approved but inaccessible, unsupported, unmeasured or outdated may create expectations without changing actual risk.

How this differs by situation
  • adopt — Approve the policy, assign ownership, communicate requirements and provide the tools and processes needed to comply.
  • train — Give general and role-specific instruction before access where appropriate and reinforce it as risks and duties change.
  • review — Test accuracy, operation and effectiveness on a schedule and after material events.
  • retire — Withdraw superseded requirements, preserve an appropriate record and prevent users relying on obsolete versions.
COPY THIS, EXACTLY

A policy is adopted only when it is approved, owned, communicated, supported by practical tools and embedded into relevant work. People must receive training appropriate to their responsibilities. The policy must then be measured, reviewed, updated and formally retired when it is replaced or no longer required.

How should a new or updated security policy be approved and rolled out?

Begin with an identified risk, obligation or operational need, then involve the people who own the affected systems and processes. Check that the draft is consistent with employment agreements, collective agreements, privacy obligations, supplier contracts and other policies. Assign an accountable senior approver and document the intended implementation date, affected groups, training, systems changes, exceptions and evidence. Employment New Zealand says consultation on draft policies is required in some circumstances, including where a collective agreement or good-faith obligation requires it, and recommends consultation even where it is not formally required because it can improve understanding and support. Where a proposed policy materially affects duties, monitoring, workplace practices or an employee's position, provide relevant information, allow a reasonable opportunity to comment and genuinely consider feedback before finalising the change. Do not announce a predetermined outcome as consultation. Rollout should include manager briefing, user communication, accessible publication, required training, acknowledgement and a defined transition period where appropriate.

How this differs by situation
  • draft and impact assessment — Identify the reason, affected people, systems, employment effects, privacy implications, implementation work and conflicts.
  • employees and unions — Consult where required by good faith, an agreement or the effect of the proposed change, and consider feedback before deciding.
  • approver and policy owner — Confirm authority, resources, legal alignment, implementation readiness and accepted residual risk.
  • controlled rollout — Publish the approved version, brief managers, train users, record acknowledgement and monitor early implementation.
COPY THIS, EXACTLY

Before approval, each policy must be checked for business relevance, legal and contractual consistency, employee impact, implementation requirements and conflicts with existing documents. Employees and unions will be consulted where required by an agreement, good faith or the nature of the proposed change. Feedback must be considered before the final decision. The approved rollout must identify the owner, approver, effective date, affected users, communication, training, acknowledgement and implementation actions.

How should acknowledgement be recorded and policies kept accessible?

Every affected person should be able to find the current policy when they need it and understand which version applies. Employment New Zealand warns that it is difficult to hold employees responsible for a policy they cannot find or were not told about. It recommends communicating new and updated policies, making them available through channels such as an intranet, meetings, hard copies and training, and adding a version number and date. Record who received or was directed to the policy, the version, date, acknowledgement method and any required training. Electronic acknowledgement through an HR, learning or document system can provide useful evidence, but acknowledgement alone does not prove understanding, make an unreasonable rule lawful or waive employment and privacy rights. Provide a contact for questions, accessible formats where needed and a process for raising concerns. Retired versions should be removed from ordinary access while an authorised archive records what applied at a particular time.

How this differs by situation
  • authoritative copy — Maintain one clearly identified current version in a location accessible to everyone expected to comply.
  • acknowledgement record — Record user identity, policy version, issue date, acknowledgement date, method and linked training.
  • questions and concerns — Provide a contact and a route for users to question requirements or report barriers and non-compliance.
  • superseded versions — Remove obsolete copies from normal use and retain a controlled archive where historical evidence is needed.
COPY THIS, EXACTLY

The current approved policy must be easy for every affected user to find. Each controlled copy must display its owner, version, approval date, effective date and review date. The organisation records who received and acknowledged the policy, which version applied and whether required training was completed. Acknowledgement does not waive statutory rights or replace the organisation's duty to make requirements lawful, reasonable, understandable and practical.

What security-awareness training should be provided, to whom and how often?

Provide a basic security and privacy foundation to everyone with organisational access, then add role-specific training for people with greater risk or responsibility. Core topics should include phishing and social engineering, passwords and password managers, MFA, safe browsing, updates, information handling and disposal, mobile and remote work, incident reporting and the response plan. Administrators, finance staff, executives, customer-service teams, developers, privacy personnel and people handling sensitive information need targeted scenarios and deeper instruction. OPC expects privacy training to be tailored to roles, supported by policies and procedures, received during induction or before access to sensitive systems where appropriate, refreshed on an ongoing basis and recorded. NCSC says awareness should be regular and ongoing rather than an annual tick-box exercise. A practical SME baseline is induction before or promptly after access, at least annual general refreshers, more frequent phishing and threat updates, and additional training after role changes, incidents, policy changes or emerging campaigns. That frequency is a risk-based baseline, not a universal statutory timetable.

How this differs by situation
  • all users — Receive basic security, privacy, phishing, credential, information-handling and reporting training.
  • higher-risk roles — Receive targeted training for privileged access, payments, sensitive information, development, legal duties or incident decisions.
  • induction and access — Train during onboarding and before sensitive-system access where the role requires it.
  • refresh and event-driven training — Refresh regularly and after role, policy, threat, incident or control changes.
COPY THIS, EXACTLY

Everyone with organisational access must receive baseline security and privacy training. Additional training is assigned according to role, access, information handled and decision authority. Training is provided during induction and before sensitive access where appropriate, refreshed regularly and updated after material policy, role, threat or incident changes. Attendance, materials, completion and required follow-up are recorded.

How do we embed a policy into everyday work and company culture?

Put policy requirements into the places where work decisions occur. Access rules should appear in onboarding, role changes and offboarding; supplier rules in procurement and contracts; information-handling rules in forms, systems and templates; incident requirements in reporting buttons and escalation channels; and technical standards in system configuration and change management. Managers should reinforce expected behaviour in meetings, approvals and performance conversations, while leadership should model the rules rather than create informal exemptions. NCSC recommends a positive culture that rewards reporting and avoids stigmatising mistakes, because punishment-focused environments can cause people to hide incidents and near misses. Make secure behaviour easier by providing password managers, MFA, approved storage, reporting tools and practical alternatives to prohibited actions. Explain why rules exist, invite questions and tell people what happened after they reported a concern. Own Your Online says staff should understand both the risks the business faces and the reasoning behind policy decisions.

How this differs by situation
  • business-process integration — Build policy requirements into onboarding, access, procurement, projects, changes, offboarding and incident response.
  • leadership and managers — Model expected behaviour, remove conflicting incentives and reinforce requirements through routine decisions.
  • usable controls — Provide approved tools and straightforward processes so compliance is easier than insecure workarounds.
  • positive reporting culture — Reward timely reporting, avoid stigma and communicate outcomes and lessons.
COPY THIS, EXACTLY

Policy requirements must be built into the processes, systems and decisions where the relevant risk occurs. Leaders and managers must model the required behaviour. The organisation provides usable tools and approved alternatives, makes reporting simple, rewards timely escalation and avoids creating incentives to conceal mistakes. Users may ask questions and must be told the reasons for material requirements.

How do we measure whether a security policy actually works?

Measure both implementation and outcomes. Implementation evidence includes policy publication, acknowledgements, training completion, MFA coverage, access reviews, patch compliance, backup tests, supplier assessments, exception age and completion of incident exercises. Outcome measures include reporting speed, useful phishing and near-miss reports, repeated incident causes, recovery performance, audit findings, policy-related complaints and whether people can explain and apply the rules. NCSC's awareness guidance suggests looking for familiarity with the incident plan, ability to recognise common scams, use of a standardised reporting channel, follow-up of reports and an ongoing awareness programme. OPC recommends incident and near-miss logs, training and awareness feedback, staff surveys, training-session records and trend analysis. Avoid targets that discourage reporting, such as demanding zero incidents. A rising number of early reports may indicate improved awareness rather than worsening security. Metrics should be tied to policy objectives, interpreted in context and reported to an accountable owner.

How this differs by situation
  • implementation evidence — Measure whether required controls, training, reviews, tests and acknowledgements actually occurred.
  • behaviour and understanding — Test whether people recognise risks, use reporting channels and apply rules in realistic situations.
  • risk outcomes — Analyse incident causes, repeat failures, response time, recovery, audit findings and unresolved exceptions.
  • management reporting — Report trends, limitations, overdue actions and decisions rather than isolated vanity figures.
COPY THIS, EXACTLY

Policy effectiveness is measured through evidence of implementation, user understanding, control performance and risk outcomes. Measures must be linked to the policy's objectives and may include training completion, access and control coverage, tests, reporting behaviour, incident trends, audit findings, exceptions and corrective actions. Metrics must not discourage the reporting of incidents or near misses and must be interpreted in context.

What should trigger a policy review, and how should version control work?

Use both scheduled and event-driven review. Employment New Zealand says a review date should be scheduled after implementation and that regular reviews help keep policies accurate and fit for purpose. An annual review is a practical baseline for many SMEs, but it is not a universal statutory deadline. Review sooner after a material incident or near miss, legal or regulatory change, new threat, audit finding, major technology or cloud change, supplier change, new service, organisational restructure, role change, customer requirement, repeated exception or evidence that users misunderstand the rule. The policy owner should record the current version, approval and effective dates, next review, approver, change summary and linked documents. Material changes should repeat the required impact assessment, consultation, communication, training and acknowledgement steps. Superseded copies should be marked obsolete and removed from everyday locations while a controlled archive preserves the version history and reasons for change.

How this differs by situation
  • scheduled review — Set and record a recurring review date appropriate to policy risk, complexity and change rate.
  • event-driven review — Review after incidents, legal changes, threats, audits, technology, suppliers, services, restructuring and repeated control failure.
  • version control — Record owner, approver, version, dates, change summary, status and links to dependent documents.
  • retirement and archive — Remove obsolete copies from normal use and preserve controlled historical evidence where needed.
COPY THIS, EXACTLY

Every policy must have a scheduled review date and must also be reviewed after material legal, business, technology, supplier, threat, incident or assurance changes. The controlled document records its owner, approver, version, approval date, effective date, next review date and change summary. Material revisions require appropriate consultation, communication, training and acknowledgement. Superseded versions are marked obsolete, removed from normal use and retained only in the controlled archive.

How should incidents, near misses and audits drive continuous improvement?

Treat incidents, near misses, exercises, complaints, audit findings and exception trends as inputs to the policy lifecycle. Record what occurred, which requirement or control was involved, why the existing approach failed or was difficult to follow and whether the issue was isolated or systemic. OPC says actual privacy breaches and near misses should be logged so organisations can identify risk and improve processes and systems. It also expects breach and near-miss trends to inform training, refreshers and targeted sessions. NCSC recommends using incident data to demonstrate and improve the management of human risk and encourages a culture where people report concerns without stigma. Corrective actions should have an owner, priority, due date and closure evidence. Update the relevant policy, standard, procedure, tool, training or supplier arrangement rather than assuming a reminder email is enough. Test the revised control and report unresolved risk to the accountable approver.

How this differs by situation
  • capture — Log incidents, near misses, audit findings, complaints, exceptions and exercise observations.
  • analyse — Identify root causes, recurring patterns, policy barriers, control weaknesses and affected groups.
  • improve — Update documents, tools, training, processes, contracts and assigned controls according to the finding.
  • verify — Retest the change, retain closure evidence and escalate unresolved or accepted risk.
COPY THIS, EXACTLY

Incidents, near misses, exercises, complaints, audit findings and recurring exceptions must be analysed for lessons relevant to policy, training, systems and processes. Corrective actions require an owner, priority, due date and closure evidence. Updated requirements must be communicated and tested. The organisation will not discourage reporting by treating every mistake as misconduct or by setting targets that conceal useful incident information.

What are the common gaps in New Zealand SME policy adoption and maintenance?

Common gaps include copying policies without checking whether they match the business; approval with no implementation plan; treating an email link as training; failing to consult when a change materially affects employees; policies hidden in an unused folder; no version number, owner or review date; acknowledgements that cannot be tied to a specific version; generic annual training unrelated to roles or current threats; no training before sensitive access; leaders bypassing the rules; prohibiting insecure behaviour without providing an approved alternative; measuring only course completion; discouraging incident reporting; no record of exceptions; no event-driven review after incidents or technology changes; and obsolete versions remaining in circulation. Another gap is relying on Australian Essential Eight, SMB1001 or ASD ISM language as though it were New Zealand law. New Zealand businesses should use the Privacy Act, OPC, NCSC and Own Your Online as the principal local references, with employment-law consultation and fair-process requirements applied where policies affect employees.

How this differs by situation
  • rollout gap — The policy is approved but not consulted on, communicated, trained, acknowledged or supported by implementation work.
  • culture gap — Leaders create exceptions, secure behaviour is difficult and users fear reporting mistakes.
  • measurement gap — The organisation counts documents and course completion without testing behaviour, controls or outcomes.
  • maintenance gap — No owner, triggers, version history, archive, corrective-action process or retirement control exists.
COPY THIS, EXACTLY

A policy must not be treated as complete merely because it has been approved or acknowledged. It must reflect the real business, be accessible, supported by tools and training, applied consistently, measured against outcomes and reviewed after change. Current and superseded versions must be controlled. New Zealand law and guidance must not be replaced with Australian frameworks presented as local requirements.

What's my next step?

Common misconceptions

  • A policy is adopted as soon as management signs it. Effective adoption also requires ownership, communication, practical implementation, training and evidence. INFERRED
  • Sending employees a link proves they understand the policy. Communication and acknowledgement should be supported by appropriate training, questions and practical guidance. INFERRED
  • Employees never need to be consulted about policy changes. Employment New Zealand says consultation is required in some circumstances and may form part of good-faith obligations. VERIFIED
  • A generic annual awareness video is an adequate security-awareness programme. NCSC says programmes should involve regular, ongoing training and interaction rather than a yearly tick-box exercise. VERIFIED
  • Everyone should receive exactly the same security and privacy training. OPC recommends tailoring training to role, responsibility and risk. VERIFIED
  • Training completion alone proves a policy is effective. NCSC and OPC recommend examining understanding, reporting, incident trends, feedback and control outcomes. VERIFIED
  • A target of zero reported incidents proves security is working. OPC warns that this target may discourage reporting and remove useful insights. VERIFIED
  • Punishing every mistake creates a stronger security culture. NCSC warns that negative reinforcement can cause people to conceal issues for fear of punishment. VERIFIED
  • Policies only need review on a fixed annual date. Scheduled review should be supplemented by review after material incidents, legal, business, threat, system and supplier changes. INFERRED
  • Old versions can remain on shared drives because employees will know which one is current. Employment New Zealand recommends version numbers and dates so the current version is identifiable. INFERRED
  • Acknowledging a policy waives an employee's statutory rights or guarantees disciplinary action is justified. Employers must still have a good reason and follow the applicable fair process. VERIFIED
  • Australia's Essential Eight, SMB1001 and ASD ISM are New Zealand policy-governance requirements. They are not and should not be presented as New Zealand law or official New Zealand frameworks. INFERRED

Obligations at a glance

The obligations most relevant to this guide, with the regulator, the trigger and the timeframe. Follow the source links in the appendix for the authoritative wording.

OBLIGATION REGULATOR TRIGGER TIMEFRAME PENALTY
Privacy Act 2020 IPP 5 reasonable safeguards Office of the Privacy Commissioner The organisation holds personal information. Ongoing while personal information is held and whenever systems, people, suppliers, uses or risks change.
Privacy officer appointment Office of the Privacy Commissioner The entity is an organisation or agency subject to the Privacy Act. Maintain at least one person fulfilling the privacy-officer role on an ongoing basis.
Good-faith consultation on affected workplace policies Employment Relations Authority and Employment Court Consultation is required by a collective agreement, the good-faith duty or the nature and effect of a proposed policy or workplace change. Provide relevant information and a reasonable opportunity for feedback before finalising the decision, and genuinely consider the feedback received. Remedies or penalties may apply depending on the employment issue and breach.
Consistency with employment agreements Employment Relations Authority and Employment Court A workplace security policy or procedure applies to employees and overlaps with employment terms. Check consistency before approval and whenever the policy or employment agreement changes. The applicable reasonable and lawful employment-agreement term may prevail, and employment remedies may be available.
Fair process before disciplinary reliance Employment Relations Authority and Employment Court The employer proposes disciplinary action or dismissal based partly or wholly on an alleged policy breach. Before deciding, investigate sufficiently, raise the concern, provide relevant information and possible consequences, allow a reasonable response and genuinely consider it. Remedies may include reinstatement, reimbursement, compensation or other orders where legally available.
Notifiable privacy breach Office of the Privacy Commissioner A privacy breach has caused or is likely to cause serious harm to an affected individual. Notify the Commissioner and affected people as soon as practicable; OPC says notification should ideally occur within 72 hours after awareness of a notifiable breach. Failure without reasonable excuse to notify the Commissioner is an offence punishable by a fine up to NZD 10,000.
Contractual policy, training and assurance requirements Customer, government agency, insurer or contracting party entitled to enforce the applicable agreement A contract, tender, insurance policy or supplier security schedule requires policy adoption, training, acknowledgement, testing, review or evidence. As specified in the applicable agreement, including onboarding, refresher, reporting, review and renewal deadlines. Contractual, procurement, insurance or access consequences may apply depending on the agreement.

Sources

  1. Privacy Act 2020 Principle 5 — Storage and security of information primary
  2. Information for privacy officers primary
  3. Poupou Matatapu — Building Capability and Awareness primary
  4. Poupou Matatapu — Measure and Monitor primary
  5. Poupou Matatapu — Breach Management primary
  6. Office of the Privacy Commissioner privacy breach response plan primary
  7. NotifyUs of a serious privacy breach primary
  8. Privacy Act 2020 primary
  9. NCSC Critical Controls: Summary primary
  10. NCSC Build security awareness in your organisation primary
  11. NCSC Cyber Security Framework primary
  12. NCSC Protect your organisation primary
  13. Create an online security policy for your business primary
  14. Business online security assessment tool primary
  15. Own Your Online — How to spot phishing primary
  16. Unmask Cyber Crime business online security series primary
  17. Choosing an IT service provider primary
  18. Creating workplace policies and procedures primary
  19. Employment New Zealand — Good faith primary
  20. Employment New Zealand — Fair process primary
  21. Employment New Zealand — The basics of workplace change primary
  22. Employment Relations Act 2000 primary
Not legal advice

This guide and its templates are a professionally drafted starting point, not legal advice. Your obligations depend on your industry, your contracts and your data. Have a qualified adviser review anything high stakes before you rely on it.