Independent Security Assurance

Purpose

This page explains how BTIT obtains independent assurance over its security controls and how that assurance can be provided to agencies and customers that require formal evidence such as audit reports or security assessments.

Assurance approach

BTIT operates a security control framework that is:

  • Aligned to the New Zealand Information Security Manual (NZISM) for government-grade services
  • Informed by ISO/IEC 27001 control families for information security management
  • Supported by BTIT’s own policies and processes, including Access Control and User Management, Password Policy, Identity Management and Protection, Incident Response, Business Continuity and Disaster Recovery, and Personnel Vetting

To validate that these controls are effective, BTIT engages independent security professionals to perform assessments of its environment and practices.

Types of independent assurance

Depending on the service and customer requirements, BTIT can provide one or more of the following forms of assurance:

  1. Independent security audit

BTIT can commission, or has commissioned, independent audits of its security controls and processes. These audits typically cover areas such as:

  • Governance and risk management
  • Identity and access management
  • Network and infrastructure security
  • Secure development and change management
  • Logging, monitoring and incident response
  • Business continuity and disaster recovery

Where permitted by our contracts and non-disclosure obligations, a summary or redacted version of the audit report can be shared with customers or lead agencies as evidence of independent assurance.

  1. Customer-specific assessments

For customers with particular regulatory or assurance requirements, BTIT can participate in customer-led security assessments. These may include:

  • Completion of security questionnaires and controls mappings
  • Participation in risk and architecture reviews
  • Providing evidence of control operation (for example, sample outputs from monitoring, change records, backup and restore tests)
  • Supporting third-party assessments arranged by the customer, such as penetration testing of customer-facing components of BTIT-managed services
  1. Alignment with recognised standards

While BTIT may not hold formal certification for every standard, its control framework is designed to align with the intent of:

  • ISO/IEC 27001 for information security management
  • SOC 2 principles (security, availability, confidentiality, processing integrity and privacy) where relevant to managed services
  • NZISM expectations for systems handling New Zealand government information

Where helpful, BTIT can provide mappings that show how its policies and processes align with these control frameworks.

Sharing assurance evidence

To protect the security of BTIT and its customers, detailed assurance evidence is shared under controlled conditions:

  • Non-disclosure: Detailed audit reports and technical findings are typically shared under a non-disclosure agreement.
  • Need-to-know: Access to sensitive information (for example, detailed architecture diagrams or vulnerability findings) is limited to appropriate customer representatives.
  • Summaries: Where full reports cannot be shared, BTIT provides high-level summaries of findings, remediation actions and overall assurance outcomes.

Continuous improvement

Findings and recommendations from independent assurance activities are tracked through BTIT’s internal risk and improvement processes. Identified gaps are prioritised and addressed, and completed actions are reviewed in subsequent audits or assessments.

This continuous improvement cycle ensures that BTIT’s security posture remains current with evolving threats, industry best practice and the expectations of lead agencies and regulators.