& nbsp; & nbsp; & nbsp; & nbsp; State Administration of Market Supervision and Administration
National Internet Information Office
Gong & nbsp; sue
2022 No. 18
Announcement on the work of data security management certification
According to the relevant provisions Security management certification work, encourage network operators to standardize network data processing activities through certification, and strengthen network data security protection. Certification agencies engaged in data security management certification activities shall be established in accordance with the law, and certification shall be implemented in accordance with the "Implementation Rules of Data Security Certification" (see attachments).
State Administration of Market Supervision and Administration & nbsp; & nbsp; & nbsp; & nbsp; National Internet Information Office
June 5, 2022
Data security management certification implementation rules
1 applicable scope
In accordance with the "Regulations on Certification and Approval of the People's Republic of China", this rule stipulates the basic principles and requirements of online operators to carry out network data collection, storage, use, processing, transmission, provision, and public processing activities.
2 certification basis
GB/T 41479 "Information Security Technology Network Data Processing Security Requirements" and related standard specifications.
In principle, the above standards shall implement the latest version released by the Standardization Administrative Department.
3 certification mode
The certification mode of data security management certification is:
Technical verification+on -site audit+post -obtaining supervision
4 certification implementation procedures
4.1 Certification commission
The certification agency shall clarify the requirements for certification commissioned data, including but not limited to basic materials, certification attorney, and relevant certification documents.
The certification client shall submit the certification commissioned information according to the requirements of the certification agency, and the certification agency will timely feedback whether the certification commissioned information will be accepted in a timely manner.
The certification agency shall determine the certification plan based on the certification commissioned data, including the data type and quantity, the scope of data processing activity, technical verification agency information, etc., and notify the certification client.
4.2 Technical verification
The technical verification agency shall implement technical verification in accordance with the certification plan and issue a technical verification report to the certification agency and the certification client.
4.3 Live review
The certification agency implements on -site review and issues on -site review reports to the certification client.
4.4 Evaluation and approval of certification results
The certification agency comprehensively evaluates the certification information, technical verification reports, on -site review reports, and other relevant information information to make certification decisions. If you meet the certification requirements, the certification certificate shall be issued; if you do not meet the certification requirements for the time being, the certification client may be rectified within a time limit. If the rectification is still not met, the certification client will be terminated in writing to terminate the certification.
If the certification client and network operators have severely affected the implementation of certification implementation when they have deceptive, concealing information, and intentional violations of certification requirements, the certification will not be approved.
4.5 Supervision after obtaining a certificate
4.5.1 The frequency of supervision
The certification agency shall continue to supervise the network operators who have obtained certification within the validity period and reasonably determine the frequency of supervision.
4.5.2 Supervision content
The certification agency shall take appropriate ways to implement post -certification supervision to ensure that the certified network operator continues to meet the certification requirements.
4.5.3 Evaluation of the supervision results after the certificate obtained
The certification agency comprehensively evaluates the conclusions of the supervision and other relevant information and information after the certification. If the evaluation is approved, the certification can be maintained; if it is not approved, the certification agency shall make a suspension of the suspension until the certification is canceled.
4.6 certification time limit
The certification agency shall make clear stipulation on the time limit of the certification and ensure that the relevant work is completed on the time limit. Certified clients should actively cooperate with certification activities.
5 Certificate and certification logo
5.1.1 Keep the certification & nbsp;
The certification period is valid for 3 years. During the validity period, the validity of the certification agency's post -obtaining certification is maintained to maintain the effectiveness of the certification.
If the certificate expires, the certification client shall submit a certification commission within 6 months before the expiration of the validity period. The certification agency shall adopt a post -certificate supervision method to send a new certificate for entrustment that meets the certification requirements.
5.1.2 Change of certification certificates
During the validity period of the certification, when the certified network operator name, registered address, or certification requirements, and certification scope changes, the certification client shall submit a change to the certification agency. The certification agency evaluates the change of the commissioned information based on the changes to determine whether the change can be approved. For technical verification and/or on -site review, technical verification and/or on -site review should also be performed before the approval change.
5.1.3 Certification, suspension and cancellation of certification certificates
When the certified network operator no longer meets the certification requirements, the certification agency shall timely suspend the certification certificate until the cancellation. The certification client may apply for a certification certificate to be suspended and canceled within the validity period of the certification.
Certification agencies shall announce the certification of network operator certifications that have been suspended, canceled and revoked in an appropriate way.
5.2 Certification signs
"ABCD" represents certification agency identification information. & nbsp;
5.3 The use of certification and certification logo
During the validity period of the certification, network operators who obtain certification shall properly use the certification and certification signs in accordance with relevant regulations in accordance with relevant regulations, and shall not be misleading to the public.
6 Certification Implementation Rules
Certification agencies shall refine the implementation procedures of certification in accordance with the relevant requirements of these rules, formulate scientific, reasonable, and operable certification implementation rules, and announce the implementation.
7 certification responsibility
Certification agencies shall be responsible for on -site review conclusions and certification conclusions. & nbsp;
Technical verification agencies shall be responsible for technical verification conclusions.
Certified clients shall be responsible for the authenticity and legitimacy of the certification commission information.