NZISMNZ GovernmentPublic SectorCritical Infrastructure

New Zealand Government Assessments to Reduce Spectrum of Risks

A due diligence approach to improve the effectiveness of the controls within the government sector. A government standard to improve the cybersecurity of organisations — an objective and independent assessment improves critical posture of security and reduces the risk. Cianaa provides assurance services for the New Zealand public sector under NZISM, ISO 27001, ISO 27701 and PCI DSS.

Standards we certify against

Multi-framework assurance

🇳🇿 NZISM — NZ Information Security Manual
🔒 ISO/IEC 27001 — ISMS
👤 ISO/IEC 27701 — Privacy (PIMS)
💳 PCI DSS — Cardholder data
NZISM

Why NZ Government Assurance Matters

Critical Industries Need Standards

Many industries and agencies are considered critical to the functioning of a society. Government standards can help ensure that these industries have appropriate cybersecurity measures in place.

Protecting Citizen Data

Governments collect and store a large amount of personal data on citizens, such as their names, addresses, and social security numbers. Implementing standards for cybersecurity can help protect this data.

National Defense & Resilience

Cyberattacks can be used to disrupt military operations, steal sensitive information, and cripple a country’s ability to respond to crises. Standards can help protect against this.

Best Practices for All

Implementing best practices from government standards for cybersecurity can help protect citizens, businesses, and the country as a whole from the growing threat of cyberattacks.

Acceptable Risk, Not Zero Risk

The aim is not to eliminate all risks but rather to identify and achieve an acceptable level of risk for the organisation.

Asset-Driven Policies

We identify an organisation’s information assets and then implement policies and procedures to protect those information assets.

Accredited Services to Government Sector

Multi-Standard Government Assurance

We provide assurance services by certifying and attesting your organisation against NZISM, ISO 27001, ISO 27701 and PCI DSS.

NZISM

NZ Information Security Manual

The New Zealand government standard providing a baseline for information security across government agencies and the critical infrastructure they serve.

ISO 27001

Information Security Management

International ISMS standard for building, implementing, and continuously improving information security across the organisation.

ISO 27701

Privacy Information Management

PIMS extension to ISO 27001 — managing personally identifiable information under GDPR, NZ Privacy Act and similar privacy regimes.

PCI DSS

Cardholder Data Protection

Where government agencies process payment card data, we provide PCI DSS QSA-led assessments as part of integrated assurance.

Our approach

The Auditor’s Philosophy

1

Scope & Objectives

The auditor defines the scope of the audit, sets clear objectives, and formulates a comprehensive plan for executing the audit effectively.

2

Identify Vectors

The auditors ascertain the individuals, processes, and technologies that fall within the scope of the audit, while also identifying potential attack vectors through comprehensive design review.

3

Threat-Based Framework

In light of the risks identified through the threat assessment, the auditors develop a comprehensive framework to assess each control, ensuring thorough due diligence is maintained.

4

Empirical Evidence

Our audit is grounded in empirical evidence. The findings are substantiated by data, providing our clients with a comprehensive overview of any identified nonconformities.

5

Control Effectiveness

The auditor assesses the effectiveness of the controls implemented to verify their presence, thereby mitigating potential threats and risks.

6

Conclusive Findings

The auditors expertly gather and analyze evidence from various sources to reach decisive conclusions and produce a robust, evidence-based report.

Diverse evidence corroboration

We use diverse approach to Evidence Corroboration

Triangulating evidence from multiple sources gives credible, defensible audit conclusions.

A

Multi-Standard Efficiency

Saves time efficiently by utilizing a single, streamlined method to evaluate a variety of different standards across multiple criteria.

B

Triple-Source Triangulation

Having three or more sources of evidence gives credible results for cyber security assessments.

C

Honest Posture Reporting

We state true facts or findings corroborated by evidence. The audit methodology indicates your probable risks and findings give you a true posture of risk — mitigated or elevated.

FAQ

Frequently Asked Questions about NZ Government Assurance

What is NZISM?

NZISM is the New Zealand Information Security Manual — the government standard providing a baseline for information security across New Zealand government agencies and the critical infrastructure they serve.

What standards do you assess against for NZ government clients?

We provide assurance services by certifying and attesting your organisation against NZISM, ISO 27001, ISO 27701 and PCI DSS.

What is the goal of NZ government assurance assessment?

The aim is not to eliminate all risks but rather to identify and achieve an acceptable level of risk for the organisation. We identify information assets and implement policies and procedures to protect them.

How does Cianaa approach the audit?

Our audit is grounded in empirical evidence — multi-source corroboration across at least three sources to give credible results. We state true facts or findings corroborated by evidence.

NZ Government Assurance

Reduce your spectrum of risks

Independent NZ government assurance — NZISM, ISO 27001, ISO 27701 and PCI DSS in a single, evidence-driven engagement. Multi-source triangulation, transparent reporting, acceptable-risk focus.