A logo represent compliance

New Zealand Government Cloud Computing Security and Privacy Considerations

Microsoft NZ addresses the questions published in the New Zealand cloud computing framework.

Microsoft and New Zealand Government Cloud Computing Security and Privacy Considerations

To help agencies undertake their analysis and evaluation of Microsoft enterprise cloud services, Microsoft New Zealand has produced a series of documents showing how its enterprise cloud services address the questions set out in the “Cloud Computing ISPC” by linking them to the standards against which Microsoft cloud services are certified. These certifications are central to how Microsoft assures both public and private sector customers that its cloud services are designed, built, and operated to effectively mitigate privacy and security risks and address data sovereignty concerns.

Learn about the benefits of NZ CC Framework on the Microsoft Cloud.

Download the NZ CC framework backgrounder

Learn how to accelerate your NZ CC Framework deployment with our Azure Security and Compliance Blueprint.

Download Azure response to the NZ CC Framework

Microsoft in-scope cloud services

  • Azure and Azure Government detailed list
  • Dynamics 365 detailed list
  • Intune
  • Power BI cloud service either as a standalone service or as included in an Office 365 branded plan or suite
  • Office 365 detailed list

Exchange Online, SharePoint Online, and Skype for Business Online. (Note that Microsoft NZ has worked with the GCIO team to develop a reference architecture for integrating Exchange Online and SEEMail described in the white paper Office 365: SEEMail Integration and Reference Architecture

New Zealand Government Cloud Computing Security and Privacy Overview

In October 2015, the New Zealand Government endorsed a revised all-government ICT strategy that reaffirmed its “cloud first” policy on using information technology across the public sector. The revised strategy retains the “Cloud Computing Risk and Assurance Framework” that was developed and implemented under the authority of the NZ Government Chief Information Officer (GCIO).

The government expects all New Zealand State Service agencies to work within this framework when assessing and adopting cloud services. “Requirements for Cloud Computing” outlines what agencies must do when adopting cloud services along with an overview of the history of the government’s cloud policy.

To assist NZ government agencies in conducting consistent and robust due diligence on potential cloud solutions, the GCIO has published “Cloud Computing: Information Security and Privacy Considerations” (the “Cloud Computing ISPC”). This document contains more than 100 questions focused on data sovereignty, privacy, security, governance, confidentiality, data integrity, availability, and incident response and management. Note that “Cloud Computing IPSC” does not define a NZ government standard against which cloud service providers must demonstrate formal compliance. Many of the questions set out in the document do, however, point toward the importance of understanding how cloud service providers comply with a wide array of relevant standards.

female working on laptop with male colleague looking at her screen
female working on laptop with male colleague looking at her screen

Assess your GDPR compliance

Find out if your organization meets personal data protection requirements. Take our quick, interactive 10-question evaluation to assess your readiness to comply with the GDPR today.

Take the assessment

Frequently asked questions

Expand all

Organizations that fall under the GCIO mandate—the public and non-public service departments, the 20 district health boards, and seven Crown entities—must adhere to the framework when they are deciding on the use of a cloud service.

If your agency is required to undertake certification and accreditation of its ICT system under the New Zealand Information Security Manual, then you can use these responses as part of your analysis.