Information Security Standards and Specifications (2)

  • International information security standardization began in the middle of the 1970s, rapidly developed in the 1980s, and drew global attention in the 1990s. At present, there are nearly 300 international and regional organizations establishing standards or technical rules.
  • ISO is a global non-governmental organization and plays a crucial role in international standardization. It has published international standards and related documents for most fields (including monopolized industries such as military, oil, and shipping).
  • IEC was the first international organization established for the preparation and publication of international standards for all electrical, electronic and related technologies.
  • ITU is the United Nations specialized agency for information and communication technologies. It allocates global radio spectrum and satellite orbits, develops global telecommunication standards, works to improve telecommunication infrastructure in the developing world, and promotes global telecommunication development.
  • IETF is a large open international community of network designers, operators, vendors, and researchers concerned with the evolution of the Internet architecture and the smooth operation of the Internet

  • Plan: ISMS planning and preparation
    • Establish security policy, objectives, processes and procedures relevant to managing risks and improving information security to deliver results in accordance with an organization's overall policies and objectives.
  • Do: ISMS document development
    • Implement and operate the ISMS policy, controls, processes and procedures.
  • Check: ISMS operation
    • Assess and, where applicable, measure process performance against ISMS policy, objectives and practical experience and report the results to management for review.

  • Action: ISMS examination, review, and continuous improvement
    • Take corrective and preventive actions, based on the results of the internal ISMS audit and management review or other relevant information, to achieve continual improvement of the ISMS.


ISO/IEC 27001 and ISO/IEC 27002, released in 2013, are the currently used standards

  • Any company can implement an ISMS, but how? What requirements must be met? ISO 27000 provides detailed requirements which organizations can use to establish ISMSs.
  • ISO 27001 is to manage information security risks based on risk assessments and to comprehensively, systematically, and continuously improve information security management using the Plan, Do, Check, Action (PDCA) cycle. It can be used to establish and implement ISMSs and ensure information security of organizations.
  • ISO 27001, an overall information security management framework based on the PDCA cycle, focuses on the establishment of a continuous-cyclic long-term management mechanism. Only certification to ISO/IEC 27001 is possible. Other ISO/IEC standards are the specific clauses and operation guides for the certification. For example, ISO 27002 defines a specific information security management process under the guidance of ISO 27001.

  • The key check points in the ISO 27001 certification process are as follows:
  • Document review:
    • Risk assessment reports
    • Security principles
    • Statement of Applicability (SoA)
    • Other ISMS documents
  • Formal review:
    • Check records, including account and permission assignment, training, business continuity drill, access control, and media usage records.
    • Check the information asset identification and processing, and risk assessment and handling forms.
    • Perform terminal security check, including the screen saver, screen lock, and antivirus software installation and upgrade status.
    • Carry out the physical environment survey, including the field observation and inquiry of equipment rooms and office environments.


Graded protection of information security refers to: graded security protection of crucial government information, private and public information of legal persons/organizations/citizens, and information systems that store, transmit, and process the information; graded management of information security products in information systems; graded response to and handling of information security incidents in information systems.

Legal liabilities of graded protection:
  • A corporate sector that does not carry out assessment for graded protection will be rectified according to relevant regulations. If it violates the provisions of China's Cybersecurity Law enforced in June 2017, it will be punished according to relevant laws and regulations. Article 21 of the Cybersecurity Law: The State implements a tiered cybersecurity protection system. Article 59: Where network operators do not perform cybersecurity protection duties provided for in Articles 21 and 25 of this Law, the administrative department shall order corrections and give warnings; where corrections are refused or it leads to endangerment of cybersecurity or other such consequences, a fine of between 10,000RMB and 100,000RMB shall be imposed, and persons who are directly in charge shall be fined between RMB 5,000RMB and 50,000RMB.

Development timeline:
  • February 18, 1994, Decree No. 147 of the State Council, Regulations of the People's Republic of China for Safety Protection of Computer Information Systems
  • September 2003, No. 27 [2003] of the General Office of the CPC Central Committee, Opinions for Strengthening Information Security Assurance Work
  • November 2004, No. 66 [2004] of the Ministry of Public Security, Notice of the Ministry of Public Security, the State Secrecy Bureau, the State Cipher Code Administration and the Information Office of the State Council on Issuing the Implementation Opinions on the Graded Protection of Information Security
  • September 2005, No. 25 [2004] of the State Council Information Office, Notice on Forwarding the Guide for Implementing Graded Protection of e-Government Information Security
  • January 2006, No. 7 [2006] of the Ministry of Public Security, Notice of the Ministry of Public Security, the State Secrecy Bureau, the State Cipher Code Administration and the Information Office of the State Council on Issuing the Administrative Measures for the Graded Protection of Information Security (for Trial Implementation)
  • June 2007, No. 43 [2007] of the Ministry of Public Security, Notice of the Ministry of Public Security, the State Secrecy Bureau, the State Cipher Code Administration and the Information Office of the State Council on Issuing the Administrative Measures for the Graded Protection of Information Security
  • 2008, GB/T 22239-2008 Baseline for classified protection of information system security and GB/T 22240-2008 Classification guide for classified protection of information system security
  • 2009, No. 1429 [2009] of the Ministry of Public Security, Guiding Opinions on the Building and Improvement of Graded Protection of Information Systems
  • March 2010, No. 303 [2010] of the Ministry of Public Security, Notice on Promoting the Assessment System Construction and Grade Assessment for Graded Protection of Information Security 
 
  • Grade I: Destruction of the information system would cause damage to the legitimate rights and interests of citizens, legal persons and other organizations, but would cause no damage to national security, social order or public interests.
  • Grade II: Destruction of the information system would cause severe damage to the legitimate rights and interests of citizens, legal persons and other organizations or cause damage to social order and public interests, but would not damage national security.
  • Grade III: Destruction of the information system would cause severe damage to social order and public interests or would cause damage to national security.
  • Grade IV: Destruction of the information system would cause particularly severe damage to social order and public interests or would cause severe damage to national security.
  • Grade V: Destruction of the information system would cause particularly severe damage to national security

  • The legislation in the Sarbanes-Oxley Act (SOX) stems from a December 2001 securities scandal  nvolving Enron, then one of the largest energy companies in the United States. The company hid massive debts that, when revealed, sent stock prices tumbling. With investor confidence "thoroughly destroyed", the United States Congress and government rapidly introduced the SOX Act. The act promised "to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws, and for other purposes."

  • The act contains the following:

    • Setting up the Public Company Accounting Oversight Board (PCAOB) to supervise registered public accounting firms
    • Strengthening auditor independence
    • Increasing the corporate responsibility for financial reports
    • Enhancing financial disclosures
    • Increasing criminal penalties  

  • SOX ACT’s impact on corporate governance:
    • Responsibilities of board members: The board members and audit commission must undertake self-assessment and follow-up education.
    • Professional ethics and corporate law-abiding: The act requires companies to develop written provisions on employees' professional ethics and the audit committee to establish an internal report incentive mechanism. 
    • Transparency and information disclosure: The Securities & Exchange Commission recommended the establishment of the Information Disclosure Committee to strengthen the responsibilities of internal audit departments. 
    • Risk management and control: Establish an internal control system and process.  
Ref : [1]