Questions are ordered from the baseline decision itself, through the current NCSC and Own Your Online controls, government-framework applicability, implementation and maturity, framework mapping, evidence, and the gaps most likely to make a paper baseline ineffective.
Does New Zealand have an "Essential Eight", and if not, what is the NZ cyber baseline?
New Zealand does not have an official New Zealand-government baseline called the Essential Eight, and SMB1001 is not a New Zealand government framework. Those names should not be presented as New Zealand law or official national guidance. New Zealand instead has a layered baseline. Own Your Online is the practical starting point for small and medium businesses. The NCSC publishes a current top ten set of Critical Controls for larger organisations, decision makers and IT specialists, plus a five-function Cyber Security Framework that organisations of any size can use to organise their work. Since October 2025, the NCSC has also published ten Minimum Cyber Security Standards with a four-level capability maturity model for GCISO-mandated government agencies; non-mandated organisations may adopt them voluntarily, but they are not automatically mandatory for a private SME. NZISM supplies detailed government controls. For any business holding personal information, Privacy Act 2020 information privacy principle 5 provides the legal outcome: use security safeguards that are reasonable in the circumstances. A sensible private-SME baseline is therefore Own Your Online first, the NCSC Critical Controls as the next technical priority set, and a recognised framework when risk, customer requirements or scale justify it.
- private SME — Begin with Own Your Online, then use the NCSC Critical Controls and Cyber Security Framework to close material gaps.
- larger or higher-risk organisation — Use all ten NCSC Critical Controls, the five framework functions and a structured control framework such as ISO/IEC 27001 or CIS Controls.
- GCISO-mandated government agency — The ten Minimum Cyber Security Standards and their capability maturity model are required within the NCSC government mandate.
- Privacy Act outcome — IPP 5 requires reasonable safeguards rather than prescribing one universal checklist.
We use Own Your Online as our small-business starting point, the current NCSC Critical Controls as our technical priority set, and the NCSC Cyber Security Framework to organise governance, identification, protection, detection, response and recovery. We select and document controls that are reasonable for our information, systems, threats, contractual commitments and business impact.
The NCSC critical controls — what are they and who are they for?
The current NCSC publication is called Critical Controls: Summary. Its current top ten are: patch your software and systems; implement multi-factor authentication and verification; provide and use a password manager; centralised logging; build security awareness in your organisation; asset lifecycle management; implement and test backups; implement application control; enforce the principle of least privilege; and implement network segmentation and separation. NCSC says the set is based on incident reports and international threat feeds, is reviewed annually, and can prevent, detect or contain most of the attacks it sees when correctly implemented. The page identifies IT specialists, decision makers, government and large organisations as its main audiences, and the NCSC's organisation page describes the Critical Controls as guidance for larger businesses and organisations. A small business may still use the list, but should translate enterprise-heavy controls such as centralised logging, application control and network segmentation into proportionate outcomes rather than buying complex tools without a clear risk case. Do not confuse the Critical Controls with the separate ten Minimum Cyber Security Standards introduced for GCISO-mandated government agencies.
- larger organisations and IT teams — Use the complete top ten as a prioritised technical and organisational control set.
- small business — Use the same outcomes proportionately, starting with supported assets, MFA, patching, password management, backups and an incident plan.
- annual priority set — Check the NCSC page during each annual review because controls can be changed or rotated.
We maintain an owner, scope, target state, implementation status, evidence source, review date and approved exception for each of the ten current NCSC Critical Controls. We check the NCSC source at least annually and update our register when the published priority set changes.
Own Your Online and the SME starter controls — MFA, updates, backups, passphrases, and what to do first
Own Your Online is the practical NCSC pathway for New Zealand individuals and businesses. For a small business, the first pass should be concrete. Turn on and enforce 2FA for email, cloud administration, document storage, banking, social media, accounting and systems holding customer, personal or financial information. Confirm every server, computer, mobile device, router and business application is still supported; enable automatic updates where practical and make sure tested updates are deployed within weeks rather than left indefinitely. Back up all important customer, operational and system data automatically, at a frequency matched to how quickly it changes, and keep at least one recoverable copy off the main server and preferably offline or disconnected. Use a business-provided password manager and long, strong, unique passwords or passphrases; Own Your Online recommends 16 or more characters or a passphrase of four or more random words. Then create a short, printed incident response plan and an online security policy so staff know who to call, what to disconnect, how to preserve evidence and how the business will keep operating. Add logs and alerts early: without them, a business may not know an incident occurred or what the attacker did.
- first week — Enforce 2FA on email, administrators, finance and cloud services; remove default credentials; identify unsupported devices and software.
- first month — Automate updates and separated backups, deploy a password manager, configure key alerts, and complete one restore test.
- next quarter — Complete the Own Your Online assessment, formalise the security policy and exercise the incident response plan.
We enforce 2FA for email, cloud administration, privileged accounts, finance systems and systems holding customer, personal or financial information. We use supported software and devices, enable automatic security updates where practical, and track exceptions. We provide a password manager and require long, strong, unique passwords or passphrases. We run automatic backups at a frequency matched to data change, keep a separated copy, test restoration, and maintain an accessible printed incident response plan.
NZISM — what is it and when does it actually apply to a private business?
The New Zealand Information Security Manual is the New Zealand Government's practitioner manual for information assurance and information-systems security. It contains essential or baseline controls and additional good-practice controls for government agencies, organised across topics such as asset management, authentication, access, incident management, communications, software and physical security. It is intended for government agencies and organisations, including the vendors, contractors and consultants that serve them. Crown entities, local government and private-sector organisations are encouraged to use it. That encouragement does not make the whole manual automatically mandatory for an ordinary private SME. NZISM becomes directly relevant when the business is a covered government organisation, when a government customer or procurement contract requires specified controls, when the business formally adopts it, or when another binding instrument incorporates it. A private business should therefore use NZISM selectively and traceably: identify the customer or risk requirement, select the relevant controls, record whether each is mandatory, contractual or voluntary, and avoid claiming full NZISM compliance without a defined scope and evidence.
- ordinary private SME — NZISM is useful reference material but is not automatically mandatory merely because the business operates in New Zealand.
- government supplier — Check tender, security schedule, information classification and agency instructions for incorporated NZISM controls.
- government agency or mandated organisation — Apply the relevant government mandate, PSR, Minimum Standards and NZISM requirements rather than treating them as optional SME advice.
NZISM controls apply to us where required by an applicable government mandate, law, contract, procurement condition, information classification or approved internal standard. For every adopted NZISM control, we record its source, scope, owner, implementation evidence and whether it is mandatory, contractual or voluntary.
MFA, patching and backups as the New Zealand "starting three" — how should we implement them?
The phrase 'starting three' is a practical shorthand for this guide, not the name of an official New Zealand framework. It reflects repeated Own Your Online and NCSC emphasis. For MFA, begin with email, privileged and administrator accounts, remote access, cloud administration, finance and any system containing sensitive information. Enforce it centrally, remove bypasses, protect recovery methods and review coverage rather than relying on users to opt in. For patching, maintain an inventory of hardware, operating systems, applications, routers, firewalls and cloud services; record support and end-of-life dates; enable automatic security updates where safe; prioritise externally exposed and exploited vulnerabilities; and track systems that cannot be updated. For backups, define the data and configurations required to resume each critical service, set recovery-point and recovery-time targets, automate the jobs, separate at least one copy from normal administration and the live network, monitor failures and perform recorded restoration tests. The control is not complete when a backup job says 'successful'; the business must be able to restore the right data within its required time. Once these three are working, add asset lifecycle management, password management, least privilege, logging, staff verification procedures, application control, segmentation and incident response.
- MFA — Measure the percentage of in-scope users and privileged accounts protected, exceptions, bypass routes and recovery-method security.
- patching — Measure supported-asset coverage, critical-patch ageing, end-of-life exposure and approved exceptions.
- backups — Measure job success, separation, immutable or offline coverage where appropriate, restore-test success and recovery against business targets.
MFA is mandatory for all privileged accounts, remote access, email, cloud administration, finance systems and systems holding sensitive information. All business devices and software must remain supported and receive security patches within a risk-based timeframe, with urgent treatment of internet-facing and actively exploited weaknesses. Critical data and configurations are backed up automatically, at least one recoverable copy is separated from normal administration, failures are alerted, and restoration is tested and recorded at least quarterly.
How do we pick a maturity target without an Essential Eight-style model?
A private New Zealand SME does not need to invent a score that looks official. Start with business outcomes and choose a target based on the sensitivity and volume of information, internet exposure, operational dependence, plausible threats, customer contracts, regulation, supplier access and the harm caused by downtime or disclosure. The NCSC Cyber Security Framework supplies five outcome areas: Guide and Govern; Identify and Understand; Prevent and Protect; Detect and Contain; and Respond and Recover. The government Minimum Cyber Security Standards also provide a four-level Cyber Security Capability Maturity Model, but that model was built for GCISO-mandated agencies; a private business may use it voluntarily without calling its result government certification. A practical internal progression is Foundation, where the Own Your Online controls operate across all critical systems; Managed, where all current NCSC Critical Controls have owners, repeatable processes and metrics; and Assured, where higher-risk controls are independently tested and mapped to ISO/IEC 27001, CIS Controls or binding sector and customer requirements. Those three labels are editorial bands for this guide, not an NCSC maturity model. Set the target per service or system rather than forcing the whole business to the same level, approve risk exceptions and review the target at least annually and after major change or incident.
- Foundation — Own Your Online essentials work across all critical services, with named owners and basic evidence. This is a guide-created band.
- Managed — All current NCSC Critical Controls are scoped, repeatable, measured and reviewed. This is a guide-created band.
- Assured — Higher-risk services have independent testing, formal risk treatment and ISO, CIS, sector or contractual mapping. This is a guide-created band.
- GCISO-mandated agency — Use the official Minimum Cyber Security Standards and CS-CMM requirements rather than the guide-created private-SME bands.
We set a documented cyber capability target for each critical service based on information sensitivity, exposure, business impact, threat, regulation and contractual commitments. We record the present state, target state, evidence, gaps, treatment owner, due date and accepted exceptions, and review the target at least annually and after material change or incident.
How do we map the NZ baseline to ISO/IEC 27001 and CIS Controls without duplicating work?
Use one control register rather than three separate programmes. Treat the NCSC and Own Your Online material as the New Zealand-priority view, ISO/IEC 27001:2022 as the management-system structure for governing and continually improving information-security risk, and CIS Controls v8.1 as a detailed, prioritised implementation catalogue. CIS currently has 18 Controls; Implementation Group 1 is described by CIS as essential cyber hygiene and contains 56 foundational Safeguards intended as an on-ramp, commonly suitable for smaller organisations with limited specialist resources. For each control outcome, record one internal control ID, owner, scope, systems, operating procedure, frequency, evidence and exceptions, then add reference columns for the matching NCSC Critical Control, Own Your Online guidance, ISO requirement or Annex A control, and CIS Safeguard. For example, one internal access-control record can cover NCSC MFA, password manager and least privilege outcomes while linking to the relevant ISO and CIS references. A mapping shows overlap; it does not prove that each framework's wording, scope or assurance requirement is identical, and it does not create ISO certification. Keep framework-specific obligations only where they genuinely differ, such as ISO management-system clauses, certification audit evidence or a customer's named control requirement.
- NCSC and Own Your Online — Use as the New Zealand priority and plain-language implementation layer.
- ISO/IEC 27001:2022 — Use for the risk-based management system, governance, continual improvement and formal assurance structure.
- CIS Controls v8.1 — Use its 18 prioritised Controls and IG1 safeguards for detailed technical implementation and measurement.
We maintain one control register as the source of truth. Each internal control has one owner, scope, procedure, operating frequency, evidence source and exception process, with reference mappings to applicable Own Your Online, NCSC, NZISM, ISO/IEC 27001 and CIS requirements. A mapping is not treated as proof of equivalence, operation or certification.
What evidence should a small New Zealand business keep to show the baseline is real?
Keep evidence that shows controls operate, not only that a policy exists. A proportionate evidence pack includes: a current asset and software inventory with owners and support dates; a list of critical services, data and suppliers; MFA and privileged-account coverage reports; password-manager deployment records; patch-compliance and unsupported-system reports; backup schedules, failure alerts and signed restore-test results; access reviews and leaver records; security-awareness and payment-verification records; key logs, alerts and retention settings; supplier due-diligence and security clauses; an approved risk and exception register; incident reports and exercise results; and dated policy approvals. Evidence should identify the system and period covered, the person who reviewed it, exceptions and follow-up actions. Keep enough history to show a pattern of operation, not a screenshot made for a customer questionnaire. Privacy Act IPP 5 does not prescribe this exact pack, but its reasonable-safeguards test makes context and accountability important. The NCSC framework also expects organisations to understand assets, supplier responsibilities, control effectiveness and response practice. For a very small business, a concise spreadsheet, exported admin reports and a quarterly evidence folder can be adequate if they are complete, current and actually reviewed.
- design evidence — Policies, risk assessment, asset scope, architecture, supplier clauses and approved standards show what should happen.
- operating evidence — System exports, tickets, alerts, reviews, test results and training records show what did happen.
- assurance evidence — Exception approvals, restore exercises, vulnerability testing, incident lessons and independent reviews show effectiveness.
Every baseline control must have dated evidence showing its scope, owner, operation and review. Evidence must identify exceptions and corrective actions and be retained in a central location accessible during an incident, customer review or privacy investigation. A policy statement without operating evidence is not treated as an implemented control.
What are the common gaps and mistakes in New Zealand SME cyber baselines?
Common gaps are practical rather than exotic. Businesses copy an Australian checklist and label it a New Zealand requirement; write a policy without assigning owners or collecting evidence; overlook routers, SaaS applications and staff-owned devices in the asset inventory; keep unsupported systems because they still work; enable MFA for some users but omit administrators, service accounts or recovery channels; reuse or share passwords instead of providing a password manager; apply updates inconsistently; keep backups under the same credentials or on the same network and never test a restore; give broad permanent administrator access; collect logs without useful alerts or retention; assume a cloud provider or IT supplier owns every security responsibility; skip payment and bank-detail verification; and leave incident response until the business is already under pressure. Another error is treating one strong control as the whole baseline. MFA helps with account compromise but cannot replace access separation, least privilege, patching, monitoring, backups, supplier controls and incident response. The NCSC framework is deliberately multi-dimensional, and Own Your Online's ransomware guidance says no single tool or control can stop every attack. Review gaps against the systems that keep the business operating, not against a generic list alone.
- paper-only — Policies, checklists and customer answers exist without owners, system scope, operation or evidence.
- partial coverage — MFA, patching, backups or logging cover ordinary users but miss administrators, cloud services, routers, recovery paths or suppliers.
- single-control thinking — One product or safeguard is treated as a substitute for layered prevention, detection, containment and recovery.
- outsourced IT — The business assumes the provider owns all risk without recording responsibilities, evidence, incident notice and recovery commitments.
We do not treat a policy, product, certification, cloud service or outsourced provider as a complete cyber baseline. Control coverage must include privileged access, recovery methods, cloud services, network devices, suppliers and unsupported assets. Exceptions require a named owner, documented risk, compensating control, approval and expiry date.
What's my next step?
Common misconceptions
- New Zealand has adopted Australia's Essential Eight as its official private-sector baseline. No New Zealand-government framework with that status was identified; New Zealand publishes its own NCSC, Own Your Online, NZISM and government Minimum Standards material. INFERRED
- SMB1001 is an official New Zealand government framework. It should not be represented that way; no such official status was identified in current NCSC baseline material. INFERRED
- The ten NCSC Critical Controls and the ten Minimum Cyber Security Standards are the same document. They are separate products with different stated audiences and purposes. VERIFIED
- The Minimum Cyber Security Standards and CS-CMM automatically bind every private SME. They are required for GCISO-mandated agencies; non-mandated organisations may adopt them voluntarily. VERIFIED
- NZISM automatically applies in full to every private New Zealand business. NCSC says private-sector organisations are encouraged to use it, while its primary intended use is government agencies and organisations. VERIFIED
- Privacy Act IPP 5 specifies a fixed technology checklist. It instead requires safeguards that are reasonable in the circumstances. VERIFIED
- Turning on MFA for a few accounts completes the baseline. NCSC and Own Your Online describe a layered set that also includes patching, password management, assets, logging, backups, least privilege, awareness and response. VERIFIED
- A successful backup notification proves recovery. NCSC's control is to implement and test backups, and Own Your Online recommends robust, separated backups that support restoration. VERIFIED
- Automatic updates solve unsupported-product risk. Unsupported devices and software may no longer receive security fixes and need replacement, isolation or another documented treatment. INFERRED
- Using a cloud service transfers all cyber and privacy responsibility to the provider. IPP 5 requires an agency using a service provider to do everything reasonably within its power to prevent unauthorised use or disclosure. VERIFIED
- Mapping a control to ISO/IEC 27001 means the business is ISO certified. Certification is a separate conformity-assessment decision and process. VERIFIED
- The NCSC Critical Controls are a permanent unchanging checklist. NCSC says it reviews them annually and may change or remove controls from the current top ten. VERIFIED
Obligations at a glance
The obligations most relevant to this guide, with the regulator, the trigger and the timeframe. Follow the source links in the appendix for the authoritative wording.
| OBLIGATION | REGULATOR | TRIGGER | TIMEFRAME | PENALTY |
|---|---|---|---|---|
| Privacy Act 2020 IPP 5 reasonable security safeguards | Office of the Privacy Commissioner | An agency holds personal information. | Ongoing while the information is held and whenever systems, risks or handling arrangements change. | |
| Privacy Act 2020 IPP 5 safeguards for service-provider handling | Office of the Privacy Commissioner | Personal information is given to another person in connection with a service provided to the agency. | Before and throughout the service relationship, using everything reasonably within the agency's power to prevent unauthorised use or disclosure. | |
| Privacy officer appointment | Office of the Privacy Commissioner | The entity is a New Zealand business or organisation that is an agency under the Privacy Act. | Maintain at least one privacy officer on an ongoing basis. | |
| Notifiable privacy breach | Office of the Privacy Commissioner | A privacy breach has caused or may cause serious harm. | Notify the Commissioner and affected people as soon as practicable; OPC says ideally within 72 hours after awareness of a notifiable breach, even while investigation continues. | Failure without reasonable excuse to notify the Commissioner is an offence punishable by a fine up to NZD 10,000. |
| Use of a cyber security framework by public service departments | National Cyber Security Centre under the Protective Security Requirements system | The organisation is a public service department subject to mandatory Protective Security Requirements obligations. | Ongoing as part of the department's cyber security programme and assurance obligations. | |
| NCSC Minimum Cyber Security Standards for GCISO-mandated agencies | National Cyber Security Centre in its Government Chief Information Security Officer mandate | The organisation is within the GCISO mandate and is required to implement the ten Minimum Cyber Security Standards. | Ongoing implementation and reporting through the applicable PSR assurance cycle; confirm the current reporting period with NCSC and PSR instructions. |
Sources
- Critical Controls: Summary primary
- Protect your organisation — Critical Controls and Minimum Cyber Security Standards primary
- NCSC Cyber Security Framework primary
- Minimum Cyber Security Standards primary
- Cyber Security Capability Maturity Model primary
- New Zealand Information Security Manual primary
- Own Your Online for business primary
- Top online security tips for your business primary
- Protect your online accounts primary
- Create an incident response plan primary
- Create an online security policy for your business primary
- Protect your business against ransomware primary
- More than half of New Zealand businesses experiencing cyber threats primary
- Privacy Act 2020 Principle 5 — Storage and security of information primary
- Information for privacy officers primary
- NotifyUs of a serious privacy breach primary
- Privacy Act 2020 primary
- ISO/IEC 27001:2022 — Information security management systems primary
- The 18 CIS Critical Security Controls primary
- CIS Critical Security Controls Implementation Group 1 primary
- Geekzone discussion: Security — keep your passwords safe forum
- Geekzone discussion: QNAP Deadbolt Ransomware forum
- Geekzone discussion: Juniper Branch Router — EOL — Security Risk? forum
- Geekzone discussion: business email compromise and reasonable security forum
- Geekzone discussion: ManageMyHealth Data Breach forum
This guide and its templates are a professionally drafted starting point, not legal advice. Your obligations depend on your industry, your contracts and your data. Have a qualified adviser review anything high stakes before you rely on it.