Late updated October 2021.

The table below sets out the minimum technology standards (standards) that the Christchurch City Council (Council, we, our or us) requires from you.

We may change these Standards by posting an updated version on our website. Changes will not apply retrospectively. We will generally try to give you at least 30 days’ notice of any material changes. You agree to check our website from time to time to ensure that you are complying with the most current version of these Standards.

These standards form part of the agreement we have with you for the provision of goods or services (agreement) and will be read together with that agreement.

You warrant that you:

  • comply with these standards at all times during the term of our agreement; and
  • will provide us with information demonstrating your compliance, when we request it.

In the event of any inconsistency between these standards and any other general warranty or contractual commitment, you have agreed with us, including as set out in the agreement, the more stringent or higher standard will apply (unless we have expressly agreed otherwise).

Any breach of these standards will constitute a breach of our agreement and you may be liable to us for damages and other available contractual remedies.

If the following applies to you, then you do not need to meet these standards:

  • You are acting as a technology provider to, or for, us and your technology is hosted on our premises where we are implementing and maintaining technology controls.
  • Your technology is a cloud service or public cloud service and we are implementing and maintaining technology controls.

Control (Process)

Minimum standard

Disaster recovery

You will have up-to-date IT disaster recovery plans in place.

Legal and regulatory

Your technology processes, applications, and systems will be compliant with all New Zealand legal and regulatory requirements.

Operational risk management

  1. You will have identified operational risks within your IT infrastructure and have a plan in place for mitigating these risks.
  2. You will give us information on the risks above where those risks are material to the services you are providing us.

Changes in your technology

  • If you have any significant planned changes to your technology, you will give us information about this, as soon as possible and before implementation.
  • Important: This requirement is particularly important where those changes will affect how you provide services to us. For example, if you move to a cloud service or if you no longer support a particular operating system or platform.

Skills and expertise

  • You will appropriately resource your operations at all times using the right levels of IT support and subject matter expertise.
  • Where the service includes you hosting systems on our behalf, you will monitor those systems to ensure continuity of development and operation of technology services.

Technical design and build

Where applicable, technology services will be designed, developed, tested and implemented to meet our approved requirements.

Change management

  • You will give us at least 30 days advanced warning of any planned downtime to the services you are providing us.
  • You will develop and record:
    • a risk and impact assessment for these changes; and
    • information about how these changes will be implemented, what post-live operational running looks like, and service recovery.

Change recovery planning

  • You will have us first approve your recovery plan for all relevant IT changes.
  • Your recovery plan will include a full back-out plans risk assessment.
  • Back-out plans will be tested and proven to recover technology services and avoid consequential impacts.

Service hosting environments

In instances where a technology service has been deemed critical to Council Critical Business Process, i.e. break the service chain, those services will be located in highly resilient data centres (at least tier 2 level) or deployed on cloud services with characteristics that are at least equivalent to tier 2 level.

Keeping technology current

IT hardware and software will be kept at version levels that allow you (as per your contractual obligations) and us to support, maintain, secure, and patch where required.

Recovery proving and assessment

  • IT disaster recovery capability of a technology service will be proven at least annually and also after any material IT change.
  • You will keep records evidencing these test results.
  • New implementations will undertake Disaster Recovery (DR) proving (including Council connectivity) within 4 weeks of service commencement.
  • Proving must evidence that recovery can be achieved on target recovery infrastructure in line with Council objectives i.e.:
  • Recovery Time Capability meets the Recovery Time Objective;
  • Recovery Point Capability meets the Recovery Point Objective; and
  • Data required to provide services to us must be backed up and available at a secondary location.

Failed recovery proving

  • When you test your DR, and there is a failure in recovering data or in the process itself, you will tell us about this, so that we may consider action in the interim until you have fixed the failure.
  • Recovery proving will be retested successfully within 3 months of the failure.

Service incident and problem management

  • We need to understand if we are buying the service of other parties’ incidental to engaging you. You will tell us who else provides services to you in order for you to supply your services to us. This is called a read across.
  • If you have an incident, you will explain why the incident occurred. You will ensure that it does not occur again. A read across must report any incidents to us for other clients that have the potential to also impact the technology service you provide us.

Asset and configuration management

  • You will maintain an up-to-date, accurate, and complete record of technology assets and configuration for the technology service you provide to us (for example, hardware, software, licences, source code and versioning).
  • If you lose a device that has our information on it, you will immediately let us know and give us any detail necessary so that we can take steps to minimise any loss.

Service management

You will have standard operating procedures for ensuring a compliant ongoing service.

Operational monitoring

  • You will continually monitor your service to ensure it is working properly and that it is not down for any reason that is not planned with us.
  • If there are lags in recovery, you will promptly communicate these to us and do what you can to mitigate any reduction in your services to us.

Capacity management

  • If disk space for performance is running low, you will let us know as soon as possible and before it hits maximum capacity.
  • You will build an alert-structure that lets us know the likelihood of any system or program running into capacity issues.
  • You will tell us before any additional capacity is needed, which may bring with it additional cost for us. We are not liable for any additional cost to you that it has not agreed to. 

Automation of manual processes

You agree to ensure that repetitive manual processes are automated, where possible, to reduce human error and improve efficiency.