Third-party services we currently use
|
How we assess and approve providers and their services
![]() |
What we expect as standard
|
How we assess
|
![]() |
![]() |
How we approve
|
Related information
Security complianceLearn more > |
Security assuranceLearn more > |
Security controlsLearn more > |
What we expect as standard
- They need to have a strong reputation within their industry.
- We prefer they possess and maintain certification to an international standard such as ISO 27001 or NIST SP 800-53.
- Data centres and IaaS cloud services must be independently certified to the industry standard SOC 2.
- We prefer that third-party providers and services are located in New Zealand or Australia. Some innovative cloud services are not available in New Zealand but can be accessed in Australia, and they have a similar regulatory environment to New Zealand.
How we assess
- We assess third-party providers and their services against appropriate security controls. For more details on these, visit Security systems and information.
- We ensure that agreements with third-party service providers include security provisions to protect confidential and sensitive information and business applications.
- All third-party service providers are reassessed periodically against industry standards and to ensure appropriate controls are in place to maintain the security of their services.
How we approve
- Third-party service providers are approved by our Information Security Management Team before the service is used by us.

Related information
Security complianceLearn more > |
|
Security assuranceLearn more > |
|
Security controlsLearn more > |