Questions are ordered from the plain meaning and purpose of a security policy through document hierarchy, law and framework relationships, internal and external versions, the practical minimum policy set, ownership and a proportionate starting method for a small New Zealand business.
What is a security policy in plain English?
A security policy is a management-approved statement of the organisation's security intentions, mandatory rules, responsibilities and decision authority. It explains what the business is protecting, who must follow the rules, what outcomes are required and who owns exceptions, incidents and reviews. It should cover information, systems, identities, devices, suppliers, physical records and business processes according to the organisation's actual risks. Own Your Online describes an online security policy as a list of what the business will do about online security and says it helps staff understand how security fits into daily work and customers understand how their information will be protected. A policy is not the same as a firewall configuration, a software manual, a risk assessment, an insurance policy or proof that the organisation is secure. Those items may support the policy, but the policy establishes the organisation's agreed direction and rules.
- policy purpose — States mandatory security intent, scope, outcomes, responsibilities, authority and governance.
- people in scope — Applies to employees, directors, contractors, suppliers and other users according to the access and responsibility they hold.
- assets in scope — Covers information, applications, accounts, devices, networks, cloud services, physical records and critical processes.
- supporting material — Standards, procedures, guidelines, risk assessments and technical configurations implement or support the policy.
A security policy is our management-approved statement of what we protect, the security outcomes we require, the rules our people and suppliers must follow, and who is accountable for decisions, exceptions, incidents and review. It applies to information, systems, accounts, devices, premises, cloud services, suppliers and business processes within its defined scope.
Why does a New Zealand business need security policies?
Security policies turn broad legal, customer and risk-management expectations into consistent business rules. Privacy Act 2020 IPP 5 requires organisations holding personal information to use safeguards that are reasonable in the circumstances. The Act does not prescribe one universal private-sector security-policy template, but documented rules help the organisation decide what reasonable safeguards look like, allocate responsibility and demonstrate that security is managed rather than improvised. Policies also support onboarding, supplier management, customer due diligence, cyber insurance, incident response and consistent treatment of exceptions. Own Your Online says policies help organisations identify risks, define mitigations, answer security questions, clarify responsibilities and prepare for incidents. The NCSC Cyber Security Framework places guidance and governance across the security lifecycle and says security leaders should use a framework to help manage the security programme. A useful policy therefore connects business objectives, legal obligations, risk decisions and operating controls.
- legal driver — Translate outcome-based duties such as IPP 5 reasonable safeguards into accountable organisational rules.
- risk driver — Set consistent safeguards according to information sensitivity, threats, business dependency and potential harm.
- people and suppliers — Tell users what is required, what must be reported and who may approve access, exceptions and recovery decisions.
- commercial driver — Support customer assurance, procurement, insurance, audits and contractual security commitments.
We use security policies to convert legal, contractual and risk-management expectations into clear and repeatable business rules. Policies identify what must be protected, assign responsibility, define minimum safeguards, support consistent decisions and provide evidence that security risks are actively managed.
What is the difference between a policy, standard, procedure and guideline?
A practical document hierarchy separates decisions about required outcomes from the detailed way work is performed. A policy states mandatory management intent, scope, responsibilities and high-level rules. A standard translates the policy into mandatory, measurable requirements, such as requiring MFA on administrator accounts or supported software on business devices. A procedure gives the ordered steps for performing a task, such as creating a user account, restoring a backup or reporting a lost laptop. A guideline provides recommended approaches where judgement is allowed, such as suggestions for arranging a secure home workspace. Organisations sometimes use these labels differently, so the important step is defining them consistently. Policies should not be overloaded with technical settings that change frequently; those details are usually easier to maintain in standards and procedures. Guidelines should not quietly contain requirements that the organisation intends to enforce as mandatory.
- policy — Mandatory direction, scope, principles, responsibilities, authority and required outcomes.
- standard — Mandatory and measurable control requirements used to implement policy.
- procedure — Ordered operational steps showing who performs a task, when and how.
- guideline — Recommended practices that allow reasonable judgement unless separately made mandatory.
In our document hierarchy, a policy states mandatory direction and accountability; a standard defines mandatory measurable requirements; a procedure explains the steps for completing a task; and a guideline provides recommended practices where judgement is permitted. A requirement must not be presented as optional guidance, and frequently changing technical settings should normally sit below the policy level.
How do security policies connect to New Zealand law and cyber security frameworks?
Law, frameworks, controls and organisational policies perform different jobs. The Privacy Act sets legal outcomes, including IPP 5's requirement for reasonable safeguards. The NCSC Cyber Security Framework organises security activity into five functions: Guide and Govern, Identify and Understand, Prevent and Protect, Detect and Contain, and Respond and Recover. The ten NCSC Critical Controls identify practical priorities such as patching, MFA, password management, logging, awareness, asset lifecycle management, backups, application control, least privilege and network segmentation. Own Your Online translates many of those ideas into accessible small-business guidance. The organisation's policies then state which requirements it has adopted, who owns them and how they apply to its actual risks. A framework complements rather than replaces the organisation's risk process and security programme. NZISM supplies detailed government-focused controls and may be useful to other organisations, but it is not automatically mandatory for every private SME.
- law — Creates binding duties and outcomes, such as Privacy Act requirements for reasonable safeguards and breach notification.
- cyber security framework — Organises security objectives and activities across governance, prevention, detection, response and recovery.
- control guidance — Identifies practical safeguards and implementation priorities.
- organisational policy — States how the particular organisation will meet applicable duties and manage its risks.
Law defines obligations and required outcomes. Frameworks organise the security programme. Control guidance identifies practical safeguards. Our policies state how those requirements and recommendations apply to our information, systems, people, suppliers and risks. A framework or control list supports, but does not replace, accountable risk management and operating evidence.
What is the difference between an internal security policy and an external security statement?
Own Your Online recommends an internal version for staff and an external version for customers. The internal policy contains operational detail: roles, systems, access rules, authentication requirements, approved tools, backup responsibilities, monitoring, incident processes and information that could be sensitive if published. The external version is a lighter public statement explaining how the organisation protects customer information, how long it may retain it, how customers can report a vulnerability or security concern and what the organisation will do if something goes wrong. The public statement should be truthful and useful but should not reveal security architecture, administrator details, recovery secrets, internal contact trees or exploitable control limitations. An external security statement also does not replace a privacy statement: privacy information explains collection, use, disclosure, access and other privacy matters, while a security statement focuses on protection and response.
- internal security policy — Detailed mandatory rules, responsibilities, systems, processes and sensitive operational information.
- external security statement — Public, customer-facing summary of protection commitments, reporting channels and incident approach.
- privacy statement — Explains personal-information practices and rights and should align with, but not be confused with, the security statement.
- publication boundary — Publish enough to build trust and enable reporting without exposing sensitive internal safeguards.
Our internal security policy contains detailed roles, rules, systems and response processes and is not published. Our external security statement gives customers a clear and truthful summary of how we protect information, how security concerns can be reported and how we respond when something goes wrong. Public material must not expose sensitive technical or operational details.
What does a minimum security policy set look like for a New Zealand SME?
There is no single legally prescribed private-SME policy pack, and a very small business may combine several topics into one document. A practical minimum set usually includes: a master information security policy; acceptable use; access control and authentication; remote work and BYOD; incident and privacy-breach response; backup, recovery and continuity; and supplier, cloud and third-party security. Businesses holding personal information should also maintain privacy governance, retention and disclosure rules, whether in a separate privacy policy or within related documents. Depending on the business, additional policies may address data classification, encryption, logging and monitoring, vulnerability management, secure development, physical security or artificial intelligence. The important test is coverage, ownership and operation rather than the number of files. Own Your Online's suggested policy content spans data, systems, access, authentication, devices, acceptable use, physical protection, logs and incidents, which supports this practical minimum set.
- core governance — Master information security policy defining scope, objectives, roles, authority, exceptions and review.
- people and access — Acceptable use, access control, passwords, MFA, privileged access, BYOD and offboarding.
- resilience and response — Incident response, privacy-breach response, backups, recovery, continuity, communications and lessons learned.
- information and suppliers — Data handling, retention, cloud services, providers, contracts, monitoring and secure disposal.
Our minimum policy set covers security governance, acceptable use, access and authentication, remote work and BYOD, incident and privacy-breach response, backup and recovery, and supplier and cloud security. Privacy, information handling, retention, monitoring and disposal requirements are included in these documents or maintained as separate policies where the risk and complexity justify it.
Who should own and approve security policies, and what is the privacy officer's role?
A senior leader should own and approve the security-policy framework because the policies affect budget, risk acceptance, staff obligations, suppliers and business operations. Technical personnel can draft and operate controls, but they should not be left as the sole owners of business-risk decisions. Each supporting policy should have a named owner responsible for keeping it accurate, implementing requirements, tracking exceptions and reporting unresolved risk. The Privacy Act requires organisations to have at least one person fulfilling the privacy-officer role. OPC says that person should understand the privacy principles, help the organisation comply, oversee privacy complaints and information requests and act as liaison with OPC. The privacy officer should therefore review policy provisions concerning personal information, monitoring, data sharing, retention and privacy breaches. In a small business, the manager may hold both policy-owner and privacy-officer responsibilities, but the roles should still be recorded.
- senior policy owner — Approves direction, allocates resources, resolves material conflicts and accepts residual risk within authority.
- policy document owner — Maintains content, coordinates implementation, tracks evidence and initiates review.
- privacy officer — Oversees Privacy Act alignment, privacy processes, complaints, requests, breach response and liaison with OPC.
- technical and business owners — Confirm that policy requirements are feasible, implemented and operating in their systems and processes.
A senior leader owns and approves the security-policy framework. Each policy has a named document owner responsible for implementation, evidence, exceptions and review. The privacy officer reviews requirements involving personal information and oversees Privacy Act processes. Technical and business owners remain accountable for operating the controls assigned to their systems and processes.
How does a small business actually get started without creating a huge compliance project?
Start with the business rather than a downloaded template. List the important information, systems, accounts, devices, suppliers and business services; identify the most credible threats and the consequences if those assets are lost, altered, exposed or unavailable; then document the safeguards already operating and the most important gaps. Complete the free Own Your Online business assessment to obtain a customised action plan. Compare current practices with the ten NCSC Critical Controls and use the five NCSC framework functions to check that governance, prevention, detection and recovery are all covered. Draft a short master policy and only the supporting policies needed for the real environment. Name an owner for each requirement, set achievable due dates and record temporary exceptions. Train people on the rules that affect their jobs, supply the tools needed to comply and test important procedures such as account removal, backup restoration and incident response. Review the policies after material changes and at least annually as a practical baseline.
- discover — Identify information, systems, people, suppliers, obligations, critical services and realistic threats.
- prioritise — Use Own Your Online and NCSC controls to choose the highest-value improvements rather than documenting everything at once.
- document and assign — Write concise rules, name owners, record exceptions and set implementation dates.
- operate and improve — Provide tools and training, retain evidence, test procedures and update policies when the business changes.
Start with what the business actually holds, uses and depends on. Identify the most important information, systems, accounts, suppliers and risks; compare current practices with Own Your Online and the NCSC Critical Controls; write short rules for the highest-priority gaps; assign an owner and due date; provide the tools people need to comply; and test that the controls work. Expand the policy set only when the business, risk or obligation requires it.
What are the most common misunderstandings about security policies?
A security policy is not proof that safeguards operate, a substitute for risk assessment, a one-time compliance exercise or a document owned only by the IT provider. It is not the same as a privacy statement, cyber-insurance policy, technical standard, procedure, framework or certification. Copying a long template can make matters worse if it promises controls the business does not operate, contains the wrong jurisdiction or cannot be understood by users. Policies should not contain every technical setting, because those values will change more often than the underlying intent. Nor should a small business assume that it needs the same policy volume as a bank or government department. The correct level is proportionate to the organisation's role, scale, risk exposure, information and dependencies. Finally, Australian instruments such as the Essential Eight, ASD ISM and SMB1001 must not be presented as New Zealand law or official New Zealand frameworks. The relevant New Zealand foundations are the Privacy Act, OPC guidance, NCSC, Own Your Online and, where appropriate, NZISM.
- paper compliance — A signed document without tools, training, ownership, evidence or enforcement does not establish effective security.
- document confusion — Policies, standards, procedures, guidelines, frameworks, privacy statements and certificates perform different functions.
- template risk — Generic documents may contain irrelevant controls, incorrect laws and commitments the organisation cannot meet.
- jurisdiction and proportionality — Use New Zealand authorities and scale the policy set to actual risk rather than importing another country's regime.
A policy is not proof, certification, insurance or a guarantee against incidents. It is useful only when it reflects the real business, assigns responsibility, is supported by operating controls and evidence, and is understood by the people who must follow it. Templates and overseas frameworks must not be presented as New Zealand legal requirements without a valid local or contractual basis.
What's my next step?
Common misconceptions
- A security policy is a piece of security software or a technical configuration. It is a governance document supported by standards, procedures, tools and operating controls. INFERRED
- Every private New Zealand business is expressly required to hold a document with the exact title 'security policy'. No universal titled-document requirement was identified, although IPP 5 and other obligations require relevant security outcomes. INFERRED
- A privacy statement and a security policy are the same document. A privacy statement explains personal-information practices, while an internal security policy contains broader and more detailed operational rules. INFERRED
- A policy is effective once senior management signs it. Own Your Online says security policies need to be embedded into everyday work, culture, staff management and customer treatment. VERIFIED
- A downloaded template proves the business is secure. A useful policy must reflect the organisation's actual services, information, systems, suppliers and risks. INFERRED
- The IT provider owns the organisation's security policies and risk decisions. Providers can advise and implement controls, but organisational leaders remain responsible for business rules and accepted risk. INFERRED
- A cyber security framework replaces policies, risk assessment and the security programme. NCSC says a framework complements rather than replaces risk management and the security programme. VERIFIED
- A small business needs the same number and complexity of policies as a major bank. Security safeguards should be proportionate to role, scale, information and risk exposure. VERIFIED
- All technical settings belong in the master policy. Frequently changing values are generally easier to manage in standards, procedures and controlled configurations. INFERRED
- An external security statement should publish detailed internal security controls. Own Your Online says the internal version may contain sensitive information and should not be publicly available. VERIFIED
- NZISM automatically applies in full to every private New Zealand business. It is intended for government, although private-sector organisations are encouraged to use it. VERIFIED
- Australia's Essential Eight, ASD ISM and SMB1001 are official New Zealand security-policy frameworks. They are not and should not be presented as New Zealand law or official New Zealand baselines. INFERRED
Obligations at a glance
The obligations most relevant to this guide, with the regulator, the trigger and the timeframe. Follow the source links in the appendix for the authoritative wording.
| OBLIGATION | REGULATOR | TRIGGER | TIMEFRAME | PENALTY |
|---|---|---|---|---|
| Privacy Act 2020 IPP 5 reasonable security safeguards | Office of the Privacy Commissioner | The organisation holds personal information. | Ongoing while the information is held and whenever systems, suppliers, uses, threats or handling arrangements change. | |
| IPP 5 safeguards for service-provider handling | Office of the Privacy Commissioner | Personal information is given to another person in connection with providing a service to the organisation. | Before and throughout the service arrangement, using everything reasonably within the organisation's power to prevent unauthorised use or disclosure. | |
| Privacy officer appointment | Office of the Privacy Commissioner | The entity is an organisation or agency subject to the Privacy Act. | Maintain at least one person fulfilling the privacy-officer role on an ongoing basis. | |
| Privacy Act 2020 IPP 10 limits on use | Office of the Privacy Commissioner | The organisation proposes to use personal information for a purpose beyond the purpose for which it was obtained. | Before the use, confirm that the original purpose, a directly related purpose or another authorised IPP 10 ground applies. | |
| Privacy Act 2020 IPP 11 limits on disclosure | Office of the Privacy Commissioner | The organisation proposes to disclose personal information to another person or organisation. | Before disclosure, confirm that the original purpose or another authorised IPP 11 ground applies. | |
| Notifiable privacy breach | Office of the Privacy Commissioner | A privacy breach has caused or is likely to cause serious harm to an affected individual. | Notify the Commissioner and affected people as soon as practicable; OPC says notification should ideally occur within 72 hours after awareness of a notifiable breach. | Failure without reasonable excuse to notify the Commissioner is an offence punishable by a fine up to NZD 10,000. |
| Public service department cyber security framework requirement | Protective Security Requirements and the Government Chief Information Security Officer | The organisation is a New Zealand public service department subject to the Protective Security Requirements. | Maintain and use a cyber security framework as part of ongoing mandatory protective-security obligations. | |
| Contractual or procurement security-policy requirement | Customer, government agency or contracting party entitled to enforce the agreement | A contract, tender, security schedule, insurance policy or supplier arrangement requires defined policies, standards, controls or assurance. | As stated in the applicable agreement, including implementation, review, evidence, incident and renewal deadlines. | Contractual, procurement or insurance consequences may apply depending on the agreement. |
Sources
- Create an online security policy for your business primary
- Business online security assessment tool primary
- Choosing an IT service provider primary
- Own Your Online business guidance primary
- NCSC Cyber Security Framework primary
- NCSC Critical Controls: Summary primary
- NCSC Protect your organisation primary
- New Zealand Information Security Manual primary
- About the New Zealand Information Security Manual primary
- NCSC and CERT NZ integration now complete primary
- Privacy Act 2020 information privacy principles primary
- Privacy Act 2020 Principle 5 — Storage and security of information primary
- Privacy Act 2020 Principle 10 — Limits on use primary
- Privacy Act 2020 Principle 11 — Disclosure of personal information primary
- Information for privacy officers primary
- What security measures are appropriate? primary
- NotifyUs of a serious privacy breach primary
- Privacy Commissioner speech to the 2026 National Cyber Security Summit primary
- Privacy Act 2020 primary
- Geekzone discussion of proportionate business cyber security forum
This guide and its templates are a professionally drafted starting point, not legal advice. Your obligations depend on your industry, your contracts and your data. Have a qualified adviser review anything high stakes before you rely on it.