[Expert's Perspective] "Announcement on Carrying out Data Security Management Certification" hot questions answers

In early June, the State Administration of Market Supervision and Management and the National Internet Information Office jointly issued the "Announcement on the Carrying and Certification of Data Security Management Certification" (No. 18, 2022), with the date of issuance of June 5. Data security and certification are hot issues, and the combination of the two increases more attention. To this end, the authority authorized by the "Beckham Said" and reproduced its hottest attention to the document to answer questions, for reference only.

1. How to understand the certification?

"Certification" is a serious topic. We often say that some institutions claim to have certification and issuance of certificates, but many of them are illegal. We cannot write a report to cover a chapter called "certification". Certification comes from the needs of commodity circulation from the era of socialization. The buyer is naturally distrustful of the seller's products or services. At first, the seller himself proved that this was called one party certification, but so it was suspected of "Wang Po sells melon to sell himself"; since then, it has developed into the buyer to conduct the seller's product or service of the seller's product or service. It proves that this is called second parties certification. At this time, the buyer must be assured, but if each buyer is doing so, it will obviously bring a high social cost, and the buyer may not have the corresponding technical and ability; The emergence of the response, that is, a third -party agency recognized by the buyer and the seller to prove the product and service, which is the origin of the modern certification system. What people call today refers to third -party certification.

2. What are the regulatory system for certification in my country?

Obviously, since the certification agency must endorse the products and services, the certification issued to be provided for the product circulation process, and it must be very reliable, so the certification activity must be under strict supervision. To this end, my country has formulated the "Regulations on Certification of the People's Republic of China". On September 3, 2003, the State Council of the People's Republic of China was announced No. 390; the first revision of the "State Council's Decision on Modification of some Administrative Regulations" was revised on February 6, 2016; The decision to abolish some administrative regulations for the second time. At present, the regulations are continuing to revise. In November 2021, the State Administration of Market Supervision announced on the official website of the draft of the regulations on the official website.

The "Certification and Accreditation Regulations of the People's Republic of China" stipulates that obtaining the qualifications of certification agencies shall be approved by the certification and supervision and management department of the State Council and engage in certification activities within the scope of approval. Without approval, no unit or individual may engage in certification activities. The "State Council Certification Certification and Certification Supervision and Administration Department" here refers to the State Certification and Certification Supervision and Administration Commission (State Certification Supervision Commission). Before the reform of the institutional institution, the State Certification Commission was a deputy ministerial institution under the General Administration of Quality Supervision, Inspection and Quarantine. After the reform of the institution, the sign of the State Certification Commission is still there, but the functions are borne by the relevant departments within the State Administration of Market Supervision.

This is why the "Announcement on Carrying out Data Security Management Certification" is jointly issued by the State Administration of Market Supervision and the National Internet Information Office, and the use of the State Administration of Market Supervision is the reason.

3. What are the certification objects?

According to the "Certification and Certification Regulations of the People's Republic of China", certification refers to a qualified assessment activity that proves that products, services, and management systems that comply with relevant technical specifications and relevant technical specifications. This means that the certification objects are divided into three types: products, services, and management systems. However, after obtaining the qualifications of the certification agency, it can issue a certificate to any object, and it can only be engaged in certification within the scope approved by the State Certification Commission. That is, approve you only certifying wooden products, and you must not certify software products.

The "Regulations on the Certification of the People's Republic of China" also requires that certification agencies engaged in product certification activities should also have technical capabilities such as inspection and inspection that are compatible with relevant product certification activities. So who commented on the ability of the certification agency? This leads to the concept of "recognition", that is, the ability and practice qualifications of certification activities such as certification agencies, inspection agencies, laboratories, and certification activities such as reviewing and reviewing are recognized by the recognition agency. The "recognition agency" here refers to China's qualified assessment of the State Council. Therefore, in addition to the approval of the State Consultation Commission, the certification agency must also be verified by the National Approval Commission.

4. What kind of certification is the "Announcement on Carrying out Data Security Management Certification Work"?

As mentioned earlier, there are three types of certification objects. The Announcement on Carrying out Data Security Management Certification "carried out the management system certification.

That is, through this work, it is necessary to issue a certification certificate to an organization's data security management system. It can be complied with ISO 9000, ISO 14000, ISO 27000 and other certifications. They are targeted at the quality management system, environmental management system, and information security management system. This time it was nothing more than a "data security management system" in this series.

V. Announcement on the "Announcement on the Work of Data Security Management Certification", what is the "Rules for the Implementation of Data Safety Management Certification"?

Now that you want to issue a certificate that can be collected, you must experience a strict process. So what is the work process? The "Certification and Accreditation Regulations of the People's Republic of China" stipulates that certification agencies shall engage in certification activities in accordance with the basic specifications and certification rules. The basic norms and certification rules are formulated by the certification and recognition supervision and management department of the State Council; if it involves the duties of the relevant departments of the State Council, the certification and recognition supervision and management department of the State Council shall be formulated in conjunction with the relevant departments of the State Council. If it is a new field of certification, and the departments stipulated in the preceding paragraph have not yet formulated certification rules, the certification agency can formulate certification rules on its own and report to the certification and recognition supervision and management department of the State Council for record. That is, no matter which type of certification is carried out, the basic specifications and certification rules must be formulated first, and the "Implementation Rules of Data Security Management Certification" is such a thing. 6. How is the data security management system certification system designed? Is there any trace to follow before?

In fact, the competent authority began to design my country's data security certification system very early. In May 2019, the National Network Information Office publicly solicited opinions on the "Data Security Management Measures (Draft for Opinions)". Article 34 of the document states: "The state encourages network operators to voluntarily pass data security management certification and application security certification, encourage search engines, app stores, etc. to clearly identify and give priority to application applications. Market supervision and management department, guide national network security review and certification agencies, and organize data security management certification and application security certification. "

Since then, the security certification of mobile applications has been gradually established, but data security management certification has been preparing.

At present, the "Data Security Law" has been released and implemented, and the "Regulations on the Management of Network Data Security" is being formulated, and the Measures for the Management of Data Security should not continue to be formulated. However, the work ideas established at the time continued, which is the earliest source of the data security management system certification system.

7. How to understand the standard GB/T 41479 "Information Security Technology Network Data Processing Security Requirements" based on the data security management system certification system?

Since the "Data Security Management Measures (Draft for Opinions)" put forward data security management certification, the competent authority has begun to consider the standard specifications based on the certification. In 2020, the National Standardization Management Commission issued a national information security standard formulation project to formulate the "Information Security Technology Network Data Processing Safety Standards", codenamed 20205156-T-469. The standard is led by the China Network Security Examination Technology and Certification Center, and it is compiled with the China Institute of Electronic Technology Standardization and Tsinghua University.

It can be said that this standard was originally formulated to carry out the certification of the data security management system. It is equivalent to the ISO 27001 in the field of data security. Since then, according to actual work needs, the standard name has been changed to the "Information Security Technology Network Data Processing Security Requirements". The reason for this change is that this standard is only a bit narrow to the data security management system certification. The competent authority hopes that this standard will play a role in guiding work within a larger range.

After two years of enthusiasm, the standard was officially released on April 15, 2022. Starting from November 2022, the standard number is GB/T 41479-2022.

8. What is the relationship between the data security management system certification system and the data security certification system? Is there any other data security certification in the future?

Data security management system certification is a type of data security certification. At present, my country has established two data security -related certification systems: data security management system certification and mobile Internet APP security certification. In the future, data security certifications for other products will not be ruled out, and data security certification for services will be carried out. However, the ever -changing is inseparable from its ancestors. The major categories are divided into three types: products, services and management systems. The above three types of data security certification may be available.

When designing the personal information outbound security management system, the "Personal Information Protection Law" uses "personal information protection certification" as one of the ways of personal information outbound. Therefore, this work is also the direction of future efforts. However, did you get the data security management system certification certificate, which is equivalent to passing the personal information protection certification in the outbound scenario? It is not ruled out that the two are closely related, which requires the authority to confirm. However, it is clear that even if you accept the data security management system certification in the outbound scenario of personal information, this certificate alone is still not enough. After all, there are more factors for data outbound security risks.

In addition, it should be pointed out that there is currently a "Bolai" data security certification, namely ISO 27701 certification. This certification is also a data security management system certification, but it focuses on personal information protection and is born in ISO 27001. Many institutions in my country have passed this certification.

Nine, since there are many types of data security certification, what kind of certification do I need to get?

Different certifications have different purposes, different points, different standards, and different matters that can be proved. Just like an agency passed the ISO 27001 information security management system certification, this helps society believe that the agency's information security management ability is good. However, if this agency is a network security product manufacturer, the products they produce still need to obtain product certification certificates in accordance with relevant regulations, and different certificates cannot be mixed.

For specific data security management system certification, because this is similar to ISO 27001, it is not limited to the specific business types of the application agency, so it is widely applicable to various institutions. However, if this institution is not an APP manufacturer or other IT manufacturers, of course, it does not have to apply for a data security product certificate.

10. After passing the data security management system certification, do I still need to conduct data security assessment?

Certification has the purpose of certification, and evaluation has the purpose of evaluation. Certification cannot completely replace the evaluation. Moreover, even in terms of certification, in terms of data security management system certification, it can only prove that the management system of a certain institution can effectively protect data security and cannot prove others.

Just as an agency has passed the ISO 27001 information security management system certification, it still cannot replace the level protection evaluation, permeability test or other possible network security evaluation. However, the ISO 27001 it obtained is indeed good for the institution's network security capabilities. In many occasions, this certificate is enough, because in different scenarios, the data security level requirements of different institutions are different.

11. Can our unit apply to become a data security management system certification agency?

According to the Certification Accounting Regulations, the certification agency cannot be exclusive (even for compulsory certification). However, due to the special historical background of my country's information security product certification recognition system, when the China Information Security Certification Center (that is, the current China Network Security Review Technology and Certification Center) was established, it exclusively designated its compulsory certification of information security products. This "exclusive" targeted only for the compulsory certification of information security products at that time.

It can be understood in this way. According to the rules, many institutions can undertake the data security management system certification task. As for whether it will designate a number of and how to apply to become a data security management system certification agency, this needs to be clarified by the subsequent documents of the competent authority.

12. Is the data security management system certification compulsory? Is it a charge?

Not forced.

TOLL.

Anyone who does not understand the data security management system can be understood compared with the ISO 27001, it is just a pass.

Thirteen, I am a network security company. What are the opportunities for me to release this document?

First of all, as a network security enterprise, it is recommended that you first apply for data security management system certification. You provide network security and data security services for others, so you have to do well yourself. Just like a network security company must have an ISO 27001 certificate.

Secondly, the analog ISO 27001 certification, the market for "data security management system certification consulting service" has come, and work hard.

Third, the establishment of the data security management system generally requires related tools to support, and a new product category is also desperate.

｜ Beckham Conclusion ｜

■ The "Announcement on Carrying out Data Security Management Certification" was issued on the official website today, and the circle of friends has already swiped the screen. However, GB/T 41479-2022 "Information Security Technology Network Data Processing Security Requirements" has been released long ago, and it should not be suddenly felt at all. The world changes so fast, you have to bow your head and look up at the road. For any institution, it is really important to maintain strategic planning and research capabilities and insight into policy.

(Article source: WeChat public account Beckham said security (WeChat | xiaobeisaq))

- END -