By Tim Stratford and Yan Luo

China’s National Information Security Standardization Technical Committee (“NISSTC”), a standard-setting committee jointly supervised by the Standardization Administration of China (“SAC”) and the Cyberspace Administration of China (“CAC”), released seven draft national standards related to cybersecurity and data privacy for public comment on December 21, 2016.  The public comment period runs until February 2, 2017.

These new draft standards are:

  • Information Security Technology – Personal Information Security Specification
  • Information Security Technology – Implementation Guide for Cybersecurity Classified Protection
  • Information Security Technology – Security Capability Requirements for Big Data Services
  • Information Security Technology – Guide for Security Risk Assessment of Industrial Control Systems
  • Information Security Technology —Security Technique Requirements and Test Evaluation Approaches for Industrial Control Network Monitoring
  • Information Security Technology — Technique Requirements and Testing and Evaluation Approaches For Industrial Control System Vulnerability Detection
  • Information Security Technology – Testing and Evaluation Methods for the Security of Hardcopy Devices

Once adopted, the new standards will join the large group of “Information Security Technology” standards (also known as “TC260” standards) developed since 2010.  Thus far, there are over 240 national standards under the umbrella of “Information Security Technology”.  Such standards cover a wide range of cybersecurity-related subjects, including, for example, security standards for cloud computing, industrial control systems, e-government, and big data services.  The TC260 standards also include standards on the protection of personal information and on “secure and controllable” requirements for information technology products such as CPUs, operating systems, and office suites.

The family of “Information Security Technology” standards are voluntary national standards in China and are not legally binding.  However, with the new Cybersecurity Law expressly supporting the development of China’s own cybersecurity-related standards, we anticipate that the government will increasingly attach more importance on those standards.  Also, such standards can serve as an important barometer of the agencies’ interpretation of often vaguely worded laws and regulations.

In two upcoming blog posts, we will discuss the new draft standard on “Personal Information Security Specification” and several other cybersecurity standards related to cloud computing, industrial control systems and big data services.