By now, the grapevine will have worked its magic, and everyone will be aware (or should be aware) that the Protective Security Requirements (PSR) has undergone a much-needed uplift and upgrade. This update has transformed the loose guidance, which was left open to interpretation, into approximately 750 MUST/SHOULD/COULD statements, or for ease of reference “controls”.
This new approach brings the PSR framework into closer alignment with the New Zealand Information Security Manual (NZISM), which many of us are already familiar with. Combined with the recently published Minimum Cyber Security Standards from the National Cyber Security Centre (NCSC), we're finally seeing the gap between PSR and NZISM begin to close.
Yes, 750 “controls” sounds daunting, and it is. But here's the silver lining, we now have a prescriptive framework that removes ambiguity from compliance assessments. No more debating interpretations of vague guidance.
The updated PSR Capability Maturity Model (PS-CMM) and the new Moderation Framework (particularly the Evidence Guides) clearly spell out what's required for assessment and how PS-CMM ratings are determined.
So, what does this mean for your organisation? The reality is that assessments under this new framework will be resource-intensive the first time around. However, subsequent assessments will become significantly more streamlined. Here at Bastion, we’ve reviewed the new framework and here are things your organisation can begin to do in preparation for this change and get ahead of the curve for 2025/2026 assessments.
Understand your Requirements
Start reviewing the Capability Maturity Model and Moderation Framework early, with particular focus on the Evidence Guides. The sooner you understand what's needed to meet CMM 2 (the minimum baseline), the sooner you can begin closing gaps in your current security posture.
Given that the PSR team and assessors are expecting this first round of assessments to take longer than previous cycles, early preparation is your best strategy. Understanding the requirements now means identifying your gaps before you're in the assessment hot seat.
Prepare for Change
Change is challenging, there's no getting around that. But preparation makes all the difference. Now that you know what the framework requires, you can prioritise your efforts strategically. Focus on the areas where you're furthest from meeting baseline requirements, and build your evidence base systematically.
Having your documentation, processes, and controls ready before the framework officially launches will make assessments smoother and far less stressful. You'll avoid the frustration of learning a new compliance approach while simultaneously trying to demonstrate your organisation meets it.
Communicate Change Early
Don't wait to brief your leadership teams on the upcoming changes and their potential impact on your PSR scores. With the new framework being more prescriptive and the updated PS-CMM rating methodology, your organisation's scores may shift (either up or down) regardless of whether your actual security posture has changed.
It's worth having these potentially difficult conversations with senior and executive leadership now rather than during the assessment. Set clear expectations that results may differ from previous assessments, not because your security has degraded, but because the measurement criteria have changed. Leaders who understand this context early will be far more supportive of the resources and time needed to meet the new baseline requirements.
Looking Ahead to the 2026 Self-assessment
The updated PSR framework represents a positive shift toward clarity and consistency in protective security. While the initial transition will require effort, organisations that start preparing now will find themselves well-positioned for smoother assessments and stronger security postures overall. The key is treating this as an opportunity to strengthen your foundations rather than a compliance burden to endure.
As the security community adapts to this new framework together, sharing experiences and learnings will be invaluable. We'll continue to provide updates and insights as organisations begin their transition journey. In the meantime, start early, stay organised, and remember: the first assessment is the hardest; it gets easier from there.
Need Support with Your PSR Transition?
Navigating the new PSR framework doesn't have to be overwhelming. At Bastion, we help organisations prepare for their annual PSR self-assessments by conducting comprehensive gap analyses across the four security domains (governance, personnel, information, and physical security). Whether you need support understanding the new framework, building your evidence base to demonstrate capability maturity, or developing risk management plans for areas of non-conformance, we're here to help.
Get in touch to discuss how we can support your organisation's PSR compliance journey.