Design for and implement security controls for cloud services

To reduce time and effort for agencies, this section contains the security guidance currently available for major public cloud services. It also describes all guidance in development, including guidance on office productivity services.

Certification and Accreditation

Agencies are required to certify and accredit their own IT systems and services. The certification and accreditation processes set out in the New Zealand Information Security Manual (NZISM) will be reviewed by the GCSB to make sure that they are relevant for cloud services.

In addition, DIA is developing guidance for agency security certification and accreditation processes. This will help agencies streamline their existing processes.

Security certification for major public cloud services

Security certification documents for some public cloud services are now available. This will significantly reduce the time and effort to complete security certification for these services.

These documents typically include a generic risk assessment, independent audit report of security controls, and a security certificate. Security certificates summarise the security position, residual risks and any risk remediation plans.

Security certification documents are available or coming soon for the following services:

  • Microsoft’s Office 365 service: available now are a risk assessment, service security certificate, and independent audit report.
  • Microsoft’s Azure Active Directory service: available now is a risk assessment and service security certificate.
  • Microsoft’s Azure service: a risk assessment and service security certificate is available now.
  • Amazon Web Services infrastructure services: a risk assessment is available now. A service security certificate is anticipated to be completed by May 2017.
  • A Generic Public Cloud Risk Assessment is now available. This can be used as a baseline for a set of risks for any Public Cloud Risk Assessment agencies are producing.

This guidance is not available on Agencies should request this security guidance through Sandeep Dalvi (

Guidance for office productivity services

In July 2016, Cabinet agreed that agencies can use offshore-hosted office productivity services, provided they comply with new guidance on security requirements for using these services: CAB-16-MIN-0316 (pdf, 343KB). 
DIA and GCSB have jointly developed this guidance, which describes how the New Zealand Information Security Manual (NZISM) should be applied in the context of these offshore-hosted services. This guidance is now available:

General guidance for cloud services (coming)

General guidance and architectural reference patterns will be developed to help agencies to securely use public cloud services.

The NZISM will continue to be updated in 2017 to better enable the adopting of cloud services. This is part of a wider collaboration between the GCIO and GCSB to develop guidance to assist agencies in implementing cloud services safely and consistently. The NZISM update will incorporate the new security requirements and provide new sections to specifically support agencies risk management (and Certification and Accreditation) practices.

Page last updated: 17/05/2017