Skip to main content

Tips for right-sizing your risk assessment

Match your time and effort on risk assessments to the information’s risk and value — here’s why and how.

Use information in secure and respectful ways

Government organisations must responsibly use the information of the NZ government and New Zealanders. This involves:

  • only storing data classified as RESTRICTED or below in a public cloud service
  • setting up security controls to protect information in ways that match its risk level.

Cabinet minutes and papers for public cloud services

Common levels of information classification

Most information used by the NZ government in public cloud services is either:


Classify information

Balance your resources — right-size risk assessments

Government organisations have a responsibility to use their financial and human resources wisely. For risk assessments, this means spending:

  • more time and effort on high-value information
  • less time and effort on low-value information.

This is often called right-sizing your response to risk.

What often happens when you do not right-size assessments

If you pour lots of resources into assessing the risks of all types of information, this can:

  • stop you from or slow you down in using public cloud services that would otherwise help your people meet your organisation’s business needs
  • divert resources from high-risk information to low-risk information — increasing the overall risk to your organisation.

At the other extreme, focusing too few resources on risk assessments can lead you to under-protect high-risk information.

Benefits of right-sizing your risk assessments

Right-sizing your risk assessments helps you to:

  • use your information security resources in the right places — that is, most effectively
  • take advantage of the benefits of using public cloud services.

Benefits of using public cloud services

Match your time and effort to the risk level

Use the risk discovery tool for public cloud services.

Risk discovery tool for public cloud services

Using the tool helps you answer the risk and security questions that fit your situation. In other words, you can avoid wasting time on questions that do not match the risk and value of the information you’re looking to use in a public cloud service.

Always consider any additional questions and risk areas that are specific to your business and technical contexts.

Follow your organisation’s process for assessing risks.

Create or improve your organisation’s process for assessing risks

Low information classifications with high values and risks

Classification levels, such as UNCLASSIFIED and IN-CONFIDENCE, are part of the Government Security Classification System. However, there are business impacts that you need to consider, too, because they might make information more valuable than their classification levels suggest.

Business impact levels can help you decide if the information is of greater value to your organisation, the NZ government and New Zealanders.

Applying Business Impact Levels — Protective Security Requirements

Utility links and page information

Was this page helpful?
Thanks, do you want to tell us more?

Do not enter personal information. All fields are optional.

Last updated