GB/T 36959-2018

Information security technology —Capability requirements and evaluation specification for assessment organization of classified protection of cybersecurity (English Version)

GB/T 36959-2018
Standard No.
GB/T 36959-2018
Language
Chinese, Available in English version
Release Date
2018
Published By
General Administration of Quality Supervision, Inspection and Quarantine of the People‘s Republic of China
Latest
GB/T 36959-2018
Scope
This standard specifies the capability requirements and assessment specifications for cybersecurity level protection assessment institutions. This standard applies to the capacity building, operation management and qualification assessment activities of those who intend to become or upgrade to a higher level cybersecurity level protection assessment institution.
Introduction

Analysis of the Standard Core Framework

Capability Dimensions Level I Requirements Level II Enhanced Requirements Level III Enhanced Requirements
Registered Capital More than 5 million More than 10 million More than 10 million
Technical Personnel 15 people (2 penetration persons) 30 people (3 penetration persons) 50 people (5 penetration persons)
Evaluation Tools Basic detection tools Add protocol analysis/source code audit tools Add penetration testing tools

Key technical capability requirements

Assessment implementation capabilities need to cover:

  • Security technology assessment (physical/network/equipment/application security)
  • Security management assessment (strategy/organization/operation and maintenance management)
  • Risk analysis capabilities (using standard analysis methods)

Level III institutions need to have penetration testing tools and an automated report generation platform.

Key nodes of the assessment process

  1. Initial assessment: including document review (40+ documents), on-site witness (simulated system testing), rectification acceptance
  2. Periodic assessment: irregular spot checks during the validity period of the certificate
  3. Capability re-evaluation: comprehensive review in a 3-year cycle

Implementation suggestions

1. Staff training: it is necessary to ensure that the certification rate of assessors is 100%, and senior assessors should have presided over provincial and ministerial projects

2. Equipment management: all assessment tools must pass CNAS certification and establish a dedicated encrypted storage environment

3. Quality control: it is recommended to introduce blockchain technology to prevent assessment records from being tampered with

GB/T 36959-2018 Referenced Document

  • GB/T 28448 Information security technology —Evaluation requirement for classified protection of cybersecurity*2019-05-10 Update
  • GB/T 28449 Information security technology—Testing and evaluation process guide for classified protection of cybersecurity

GB/T 36959-2018 history

  • 2018 GB/T 36959-2018 Information security technology —Capability requirements and evaluation specification for assessment organization of classified protection of cybersecurity


Copyright ©2007-2025 ANTPEDIA, All Rights Reserved