Skip to product information
1 of 12

PayPal, credit cards. Download editable-PDF and invoice in 1 second!

GB/T 22239-2019 English PDF (GBT22239-2019)

GB/T 22239-2019 English PDF (GBT22239-2019)

Regular price ¥3,625.00 CNY
Regular price Sale price ¥3,625.00 CNY
Sale Sold out
Shipping calculated at checkout.
Delivery: 3 seconds. Download true-PDF + Invoice.
Get QUOTATION in 1-minute: Click GB/T 22239-2019
Historical versions: GB/T 22239-2019
Preview True-PDF (Reload/Scroll if blank)

GB/T 22239-2019: Information security technology -- Baseline for classified protection of cybersecurity
GB/T 22239-2019
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Replacing GB/T 22239-2008
Information security technology -
Baseline for classified protection of cybersecurity
ISSUED ON: MAY 10, 2019
IMPLEMENTED ON: DECEMBER 01, 2019
Issued by: State Market Regulatory Administration;
Standardization Administration of PRC.
Table of Contents
Foreword ... 4 
Introduction ... 6 
1 Scope ... 7 
2 Normative references ... 7 
3 Terms and definitions ... 8 
4 Abbreviations ... 11 
5 Overview of Classified protection of cybersecurity ... 12 
5.1 Object under classified protection ... 12 
5.2 Different classes of security protection ability ... 12 
5.3 General security requirements and security extension requirements ... 13 
6 Level 1 security requirements ... 14 
6.1 General security requirements ... 14 
6.2 Security extension requirements of cloud computing ... 20 
6.3 Security extension requirements of mobile internet ... 22 
6.4 Security extension requirements for IoT ... 22 
6.5 Security extension requirements for industrial control systems ... 23 
7 Level 2 security requirements ... 25 
7.1 General security requirements ... 25 
7.2 Extension requirements for cloud computing security ... 40 
7.3 Extension requirements for mobile Internet security ... 43 
7.4 Extension requirements for IoT security ... 45 
7.5 Security extension requirements for industrial control systems ... 46 
8 Level 3 security requirements ... 48 
8.1 General security requirements ... 48 
8.2 Extension requirements for cloud computing security ... 71 
8.3 Extension requirements for mobile Internet security ... 76 
8.4 Extension requirements for IoT security ... 78 
8.5 Security extension requirements for industrial control systems ... 80 
9 Level 4 security requirements ... 83 
9.1 General security requirements ... 83 
9.2 Extension requirements for cloud computing security ... 106 
9.3 Extension requirements for mobile internet security ... 111 
9.4 Extension requirements for IoT security ... 113 
9.5 Extension requirements for security of industrial control systems ... 116 
10 Level 5 security requirements ... 119 
Appendix A (Normative) Selection and use of general security requirements and
security extension requirements ... 120 
Appendix B (Normative) Requirements on overall security protection ability of
the object under classified protection ... 124 
Appendix C (Normative) Security framework of classified protection and
requirements for key technology use ... 126 
Appendix D (Informative) Description of cloud computing application scenarios
... 129 
Appendix E (Informative) Description of mobile internet application scenarios
... 130 
Appendix F (Informative) Description of IoT application scenario ... 131 
Appendix G (Informative) Description of application scenarios of industrial
control systems ... 133 
Appendix H (Informative) Descriptions on big data application scenarios ... 137 
References ... 145 
Information security technology -
Baseline for classified protection of cybersecurity
1 Scope
This standard specifies the general security requirements and security
extension requirements for the project under classified protection from level 1
to level 4 of the classified protection of cybersecurity.
This standard is applicable to guide the security construction and supervision
administration of non-confidential objects in different classes.
Note: The class-5 protection object is a very important supervision and management
object. It has special management modes and security requirements, so it is not
described in this standard.
2 Normative references
The following documents are essential to the application of this document. For
the dated documents, only the versions with the dates indicated are applicable
to this document; for the undated documents, only the latest version (including
all the amendments) are applicable to this standard.
GB 17859 Classified criteria for security protection of computer information
system
GB/T 22240 Information security technology - Classification guide for
classified protection of information system security
GB/T 25069 Information security technology glossary
GB/T 31167-2014 Information security technology - Security guide of cloud
computing services
GB/T 31168-2014 Information security technology - Security ability
requirements of cloud computing services
GB/T 32919-2016 Information security technology - Application guide to
industrial control system security control
3.5
Cloud service customer
Participants who use cloud computing services to establish business
relationships with cloud service providers.
[GB/T 31168-2014, definition 3.4]
3.6
Cloud computing platform / system
A collection of cloud computing infrastructure and service software provided
by a cloud service provider.
3.7
Hypervisor
An intermediate software layer that runs between the underlying physical
server and the operating system, allowing multiple operating systems and
applications to share hardware.
3.8
Host machine
The physical server running the hypervisor.
3.9
Mobile communication
The process of using a wireless communication technology to connect a
mobile device to a wired network.
3.10
Mobile device
Terminal device used in mobile business, including general-purpose
terminals and special-purpose terminal device such as smart phones, tablets,
personal computers.
3.11
Wireless access device
A communication device that uses wireless communication technology to
WEP: Wired Equivalent Privacy
WPS: WiFi Protected Setup
5 Overview of Classified protection of cybersecurity
5.1 Object under classified protection
The object under classified protection refers to the objects in the classified
protection of cybersecurity. It usually refers to a system consisting of computers
or other information terminals and related device that collects, stores, transmits,
exchanges, processes information in accordance with certain rules and
procedures. It mainly includes basic information networks, cloud computing
platforms / systems, big data applications / platforms / resources, Internet of
Things (IoT), industrial control systems, systems using mobile internet
technologies. The object under classified protection is, based on the degree of
harm to national security, economic construction, and social life, and the degree
of harm to national security, social order, public interests, the legitimate rights
and interests of citizens, legal persons, and other organizations after damage,
divided into five protection classes from low to high.
See GB/T 22240 for the method of determining the security protection level of
the protected object.
5.2 Different classes of security protection ability
The basic security protection abilities that different classes of protected objects
shall possess are as follows:
Level 1 security protection ability: It shall be able to protect against critical
resource damage caused by malicious attacks from individuals, threat sources
with few resources, general natural disasters, other threats of a considerable
degree of harm. After the damage, it may restore some functions.
Level 2 security protection ability: It shall be able to protect against important
resource damage caused by malicious attacks from small external sources,
threat sources...
View full details