Skip to main content

Office Productivity — restricted security controls for public cloud services

Office Productivity's template for security controls mapped to the NZISM applies to most public cloud services using ‘RESTRICTED’ information.

Security template for Office Productivity

The Office Productivity template shows the security controls needed to protect information classified as ‘RESTRICTED’ according to the NZ Government Security Classification System.

Security requirements for offshore-hosted office productivity services explained (PDF 456KB)

Use the template for risk assessments for Office Productivity and most other public cloud services

The template describes how the security controls in the New Zealand Information Security Manual (NZISM) apply in the context of:

  • Office Productivity services hosted offshore
  • most other public cloud services that do not have security templates.

Government organisations can use it to help them with their risk assessments before using public cloud services.

Assess the risks of using a public cloud service

Meet the Protective Security Requirements

The security template for Office Productivity and the NZISM help government organisations to meet the mandatory security requirements from Protective Security Requirements (PSR).

Mandatory requirements — PSR

Cabinet decision to accelerate the adoption of public cloud services

The security template was created by the:

  • Government Chief Digital Officer (GCDO) — then-called the ‘Government Chief Information Officer’
  • Government Communications Security Bureau (GCSB).

The GCDO and GCSB developed this guidance to assure risk owners and chief executives of how Office Productivity services, hosted offshore, met security requirements by applying specific controls. This was in response to the Cabinet decision for accelerating the adoption of public cloud services.

Cabinet minutes and papers for public cloud services

Security requirements covered

Focusing on paragraph 43 in the Cabinet minute, the security template for Office Productivity covers the security controls for:

  • strategy — policies and processes
  • architecture
  • encryption
  • access control
  • backup
  • archiving
  • recovery
  • incident management
  • decommissioning
  • third-party assurance.

Security requirements not covered

The security template for Office Productivity does not cover:

  • business and technical contexts
  • information classification
  • criticality — service delivery
  • data sovereignty — jurisdiction
  • privacy.

Utility links and page information

Was this page helpful?
Thanks, do you want to tell us more?

Do not enter personal information. All fields are optional.

Last updated