Information security technology – Capability requirements of cybersecurity service
1 Scope
This document specifies the capability requirements of cybersecurity service, including general requirements and enhancement requirements.
This document is applicable when it is used to guide cybersecurity service providers to carry out cybersecurity services and evaluate the capability level of cybersecurity service providers, and it can also provide reference for cybersecurity service acquirers to choose cybersecurity service providers.
Note: The cybersecurity services mentioned in this document exclude the cybersecurity services involving state secrets.
2 Normative references
The following documents contain requirements which, through reference in this text, constitute provisions of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
GB/T 20984 Information security technology - Risk assessment method for information security
GB/T 22080 Information technology - Security techniques - Information security management systems - Requirements
GB/T 25069 Information security technology - Glossary
GB/T36959 Information security technology 0 Capability requirements and evaluation specification for assessment organization of classified protection of cybersecurity
GB/T 39204-2022 Information security technology - Cybersecurity requirements for critical information infrastructure protection
GB/T 42446 Information security technology - Basic requirements for competence of cybersecurity workforce
GB/T 42461 Information security technology - Guidelines for cyber security service cost measurement
Emergency Plan for Network Security Incidents of the People’s Republic of China (Publicized by Order No.4 [2017] of the Office of the Central Leading Group for Cyberspace Affairs on January 10, 2017).
Regulations on the management of network product security vulnerabilities (Publicized by Order No.66 [2021] of the Ministry of Public Security, National Internet Information Office of the Ministry of Industry and Information Technology on July 12, 2021)
Catalogue of key network equipment and special products for network security (first batch) (Publicized by Order No.01 [2017] of the Certification and Accreditation Administration, Ministry of Public Security, National Internet Information Office of the Ministry of Industry and Information Technology on June 1, 2017)
3 Terms and definitions
For the purposes of this document, the terms and definitions given in GB/T 25069 and the following apply.
3.1
cybersecurity service
service that ensures network operation security and network information security according to the service agreement and based on the resources of service personnel, technology, tools, management and funds
Note 1: Common cybersecurity services include detection and evaluation, security operation and maintenance, security consultation, etc.
Note 2: Cybersecurity services are usually carried out in the form of service items of both the seller and the buyer.
Note 3: Assessment of classified protection of cybersecurity and security evaluation of commercial password application belong to specific types of detection and evaluation services.
3.2
cybersecurity service provider
an organization that provides cybersecurity services (3.1)
Note: It is called as "service provider” for short.
3.3
cybersecurity service acquirer
an organization or individual that obtains external cybersecurity services (3.1) to meet network security needs and achieve its own business goals
Note: It is called as "service acquirer" for short.
4 Overall requirements
4.1 The cybersecurity service provider shall meet the requirements of Clause 5 when providing cybersecurity services to the cybersecurity service acquirer. Cybersecurity service providers shall also meet the requirements of Clause 6 when providing cybersecurity services to service acquirers with higher requirements (such as party and government organs, key information infrastructure operators, etc.) for cybersecurity services.
4.2 The requirements for assessment organization of classified protection of cybersecurity shall comply with the provisions of GB/T36959.
4.3 The requirements of the security evaluation organization of commercial password application shall comply with the relevant laws, regulations and standards of national password management.
Foreword i
1 Scope
2 Normative references
3 Terms and definitions
4 Overall requirements
5 General requirements
5.1 Basic conditions
5.2 Organizational management
5.3 Project management
5.4 Supply chain management
5.5 Technical capability
5.6 Service tools
5.7 Remote services
5.8 Legal safeguards
5.9 Data security protection
5.10 Service sustainability
5.11 Special requirements for testing and evaluation services
5.12 Special requirements for security operation and maintenance services
6 Enhancement requirements
6.1 Basic conditions
6.2 Organizational management
6.3 Supply chain management
6.4 Technical capability
6.6 Service tools
6.6 Data security protection
6.7 Service sustainability
6.8 Special requirements for security operation and maintenance services
Annex A (Informative) Types of common tools used in cybersecurity service
Bibliography