Are you experiencing a security incident?
Incident Response
Assess & Improve
Detect & Respond
Protect & Secure
Advise & Empower
Resources
Articles
In-depth insights
Advisories
Newly discovered threats
About us
Leadership Team
Meet the experts
Events
Join upcoming events
Award & Certifications
Industry recognitions
Our Community
Network of professionals
Vendor Partners
Trusted vendors
Talk to an expert
Service Category
Services
Popular Services
Employee Cyber Training & Awareness
Train smart and stay secure
Advisory
Secure smarter with strategic security advisory
Managed Protection
Stay ahead of every threat with managed security
Security Architecture
Security that actually changes the game
Digital Forensics & Incident Response
Forensic and Incident Response experts on hand to help
Cyber Threat Intelligence
Strengthen your security posture
Managed Detection & Response
Highly trained security experts monitor and protection
Certification & Accreditation
Get certified with ease
Audit & Assurance
Audit and assurance you can trust
Governance, Risk & Compliance
Simplfy compliance, strengthen protection
Cyber Maturity Assessments
Strengthen your security maturity
Penetration Testing
Penetration testing for cyber vulnerabilities
Case Studies
    
Articles
    
Advisories
    
Executive and Board Security Governance Training
Instructor Led ISO27001 Training
Advanced OSINT Training Course
Secure Development Training
Security Awareness Training
Security Incident Response Testing
Executive & Board Reporting
Incident Response Tabletop Exercise
Security Policy and Standard Development
Strategic Security Consulting
Secure Access Service Edge (SASE)
Dark Web Monitoring
Automated Patch Management
Cloud Posture & Security
Vulnerability Management
Email Security
Web Filter, CASB & DLP (Cloud Access Security Broker & Data Loss Prevention)
Endpoint Protection
Virtual Security Architect (vSecArch)
System Architecture, Design & Implementation
NIST CSF Maturity Uplift
DevSecOps Review & Implementation
Design Reviews
CI/CD Health Check
Cloud Security Configuration
Incident Response
Forensics
System Security Plan
Controls Validation Audit
Continuous Certification
Risk Assessment
All of Government Marketplace
Digital Identity Services Trust Framework Act
SWIFT CSCF
Payment Card Industry (PCI)
ISO 27001
vITSM
vCISO
Risk Management
Security Health Check
CIS Critical Controls Assessment
PSR Assessment
NIST CSF Assessment
Essential Eight Assessment
Specialist Testing
Artificial Intelligence (AI) Penetration Test
Application Penetration Tests
Source Code Review
Configuration Reviews
Denial of Service (DoS) Testing
Social Engineering & Phishing
Purple Teaming
OT/SCADA Network Penetration Test
Vulnerability Assessment
External Penetration Testing
Internal Penetration Testing
Web Application Penetration Testing
Red Teaming
Secure Development Training
Dark Web Monitoring
ISO 27001
Denial of Service (DoS) Testing
Purple Teaming
External Penetration Testing
Internal Penetration Testing
Red Teaming
Advise & Empower
Explore Solutions
Protect & Secure
Explore Solutions
Detect & Respond
Explore Solutions
Assess & Improve
Explore Solutions
Resources
Articles
Advisories
About Us
Explore Bastion
Leadership Team
Events
Award & Certifications
Our Community
Vendor Partners
Employee Cyber Training & Awareness
Advisory
Managed Protection
Security Architecture
Digital Forensics & Incident Response
Cyber Threat Intelligence
Managed Detection & Response
Certification & Accreditation
Audit & Assurance
Governance, Risk & Compliance
Cyber Maturity Assessments
Penetration Testing
Popular Services
Secure Development Training
Dark Web Monitoring
ISO 27001
Incident Response
Talk to an expert
Resources
About Us
Home
>
Certification & Accreditation
>
System Security Plan

Build a strong, certifiable security plan

We develop or review System Security Plans (SSPs) aligned with NZISM, ensuring your system’s security posture is clearly defined and properly documented.
Talk to an expert
System Security Plan

Assurance and clarity for every stakeholder

Whether you're certifying a new system or updating your documentation, a robust SSP is essential. We engage with project teams, system owners, certifiers, accreditors and other stakeholders to define appropriate controls and ensure your plan reflects your security responsibilities in full.

  • Aligns to NZISM controls and risk environment
  • Provides structured input from business and technical owners
  • Covers stakeholder roles, key security measures and rationale
Service detail

What to expect from a compliant SSP

Every SSP must reflect the system’s scope, classification, risk profile and technical functionality. We work with your team to identify applicable NZISM controls Incorporate any additional controls from your SRMP Address cryptographic controls and key management. Ensure implementation and effectiveness can be assessed. Provide assurance-ready documentation for certification

Control selection and rationale

Tailored to your system, aligned with NZISM

We use the latest NZISM baseline and threat intelligence to guide SSP development. Our consultants identify the relevant controls for your system and provide justification and guidance on how each control is applied.

  • Based on functionality, classification and threat profile
  • Includes control rationale and stakeholder responsibilities
  • Meets NZISM expectations for assessment and accreditation

Our delivery process

Structured development, step by step

From requirements gathering to accreditation, we partner with you every step of the way.
Define system scope and context
We work with project teams, system owners and other stakeholders to understand the business.
Map and justify controls
Using NZISM, we identify mandatory and relevant discretionary controls.
Write and review the SSP
We prepare the SSP document for stakeholder review, audit readiness and certification. Our team can support responses to certifiers or update plans as your system evolves.
Benefits

Proven experience in certified government environments

From complex cloud platforms to legacy systems, we’ve helped New Zealand agencies develop NZISM-compliant SSPs that support accreditation and reduce cyber risk.
NZISM expertise
Our team has deep understanding of NZISM and the latest control baselines —-helping you implement what matters and document it clearly.
Cross-stakeholder alignment
We engage with security, IT, governance and project teams to ensure your SSP reflects the system in practice - not just on paper.
Accelerated certification
By combining strategic guidance with technical insight, we streamline the pathway to certification and reduce rework or delay.
What comes next

Extend your documentation maturity

We can help you move from a single SSP to a full suite of supporting documentation including SRMPs, cryptographic plans, and incident response procedures.

  • Maintain certification across system changes
  • Support reaccreditation and stakeholder assurance
  • Deliver fully integrated documentation for your system

Talk to an expert
Executive and Board Security Governance Training
We train executives and boards on their cybersecurity oversight role — focusing on risk framing, accountability, and key governance responsibilities.
Instructor Led ISO27001 Training
This instructor-led course equips participants with the knowledge and skills needed to become certified to lead, plan, and conduct ISO 27001 audits.
Frequently asked questions

Frequently asked questions

From risk assessment to rapid response - we’re with you every step of the way.

What is a System Security Plan (SSP)?

An SSP outlines the information security controls and responsibilities for a system. It’s used to demonstrate compliance with NZISM and support certification and accreditation.

Who is responsible for contributing to an SSP?

Multiple stakeholders are involved - including system owners, project teams, security leads, IT operations and certification authorities.

What should an NZISM-compliant SSP include?

It should identify relevant controls based on classification, describe how they’re implemented, include key management where applicable, and reflect all stakeholder inputs.

How often should an SSP be reviewed?

SSPs should be reviewed during system change, reaccreditation, or if NZISM is updated. Agencies are encouraged to use the latest baseline version at all times.

Can Bastion help with certification preparation?

Yes. We provide advisory and documentation services to prepare your SSP, support stakeholder review, and address feedback from certifiers.

Contact us

Talk to an expert

Please call our office number during normal business hours or submit a form below
Where to find us
If you experience a security breach outside normal working hours, please complete the form and we will respond as soon as possible.
Get in touch
info@bastionsecurity.co.nz
General enquiries
 +64 4 281 7534
Auckland office
Level 5, 51
Shortland Street,
Auckland 1010 New Zealand
Wellington office
Levels 8 and 9, 10
Brandon Street
Wellington 6011 New Zealand
Melbourne office
Level 22
120 Spencer Street
Melbourne 3000 Australia
Advise & Empower
Protect & Secure
Detect & Respond
Assess & Improve
Back to top
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Dark
Resources
ArticlesAdvisoriesTerms & ConditionsCorporate GovernanceVulnerability DIsclosure
GuidelinesPrivacy Statement
About UsLeadership TeamEventsAwards & CertificationsOur CommunityVendor Partnership
Are you experiencing a security breach?
Incident Response
+64 4 281 7534
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
© Copyright 2025. All rights reserved