Skip to product information
1 of 7

PayPal, credit cards. Download editable-PDF and invoice in 1 second!

GB/T 22240-2020 English PDF (GBT22240-2020)

GB/T 22240-2020 English PDF (GBT22240-2020)

Regular price $195.00 USD
Regular price Sale price $195.00 USD
Sale Sold out
Shipping calculated at checkout.
Delivery: 3 seconds. Download true-PDF + Invoice.
Get QUOTATION in 1-minute: Click GB/T 22240-2020
Historical versions: GB/T 22240-2020
Preview True-PDF (Reload/Scroll if blank)

GB/T 22240-2020: Information security technology -- Classification guide for classified protection of cybersecurity
GB/T 22240-2020
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Replacing GB/T 22240-2008
Information security technology - Classification guide
for classified protection of cybersecurity
ISSUED ON: APRIL 28, 2020
IMPLEMENTED ON: NOVEMBER 01, 2020
Issued by: State Administration for Market Regulation;
Standardization Administration of PRC.
Table of Contents
Foreword ... 3 
Introduction ... 4 
1 Scope ... 5 
2 Normative references ... 5 
3 Terms and definitions ... 5 
4 Rating principle and process ... 7 
4.1 Security protection level ... 7 
4.2 Rating elements ... 8 
4.3 Relationship between rating elements and security protection level ... 9 
4.4 Rating process ... 9 
5 Determine the rating object ... 10 
5.1 Information system ... 10 
5.2 Network infrastructure ... 12 
5.3 Data resources ... 12 
6 Determine the security protection level ... 12 
6.1 Overview of rating methods ... 12 
6.2 Determine the infringed object ... 14 
6.3 Determine the degree of infringement on the object ... 15 
6.4 Preliminary determining level ... 17 
7 Determine the security protection level ... 17 
8 Change of level ... 18 
References ... 19 
Information security technology - Classification guide
for classified protection of cybersecurity
1 Scope
This standard gives a method and procedure for rating the security protection
level of classified protection target which does not relate to state secret.
This standard is applicable to guide the network operators to carry out the rating
work of classified protection target which does not relate to state secret.
2 Normative references
The following documents are essential to the application of this document. For
the dated documents, only the versions with the dates indicated are applicable
to this document; for the undated documents, only the latest version (including
all the amendments) are applicable to this standard.
GB 17859-1999 Classified criteria for security protection of computer
information system
GB/T 22239-2019 Information security technology - Baseline for classified
protection of cybersecurity
GB/T 25069 Information security technology - Glossary
GB/T 29246-2017 Information technology - Security techniques -
Information security management systems - Overview and vocabulary
GB/T 31167-2014 Information security technology - Security guide of cloud
computing services
GB/T 32919-2016 Information security - Industrial control systems -
Guidelines for the application of security controls
GB/T 35295-2017 Information technology - Big data - Terminology
3 Terms and definitions
The terms and definitions as defined in GB 17859-1999, GB/T 22239-2019,
GB/T 25069, GB/T 29246-2017, GB/T 31167-2014, GB/T 32919-2016, GB/T
serious damage or particularly serious damage to the legitimate rights and
interests of the relevant citizens, legal persons and other organizations, or
cause harm to social order and public interests, but does not endanger
national security;
c) Level 3: After the classified protection object is damaged, it will cause
serious damage to social order and public interests, or endanger national
security;
d) Level 4: After the classified protection object is damaged, it will cause
serious damage to social order and public interests, or seriously endanger
national security;
e) Level 5: After the classified protection object is damaged, it will cause
particularly serious damage to national security.
4.2 Rating elements
4.2.1 Overview of rating elements
The rating elements of the classified protection objects include:
a) Infringed objects;
b) The degree of infringement on the object.
4.2.2 Infringed objects
The infringed objects when the classified protection object is damaged include
the following three aspects:
a) The legitimate rights and interests of citizens, legal persons and other
organizations;
b) Social order and public interest;
c) National security.
4.2.3 Degree of infringement on the object
The degree of infringement on the object is comprehensively determined by the
different external manifestations of objective. Since the infringement on the
object is achieved by destroying the object of classified protection, the external
manifestation of the infringement on the object is the damage to the object of
classified protection, which is described by the method of infringement, the
consequences of the infringement, the degree of infringement.
Note 1: The main subjects of security responsibility include but are not limited to legal
persons such as enterprises, agencies and public institutions, as well as other social
organizations and other organizations that do not have legal person qualifications.
Note 2: Avoid using a single system component, such as a server, terminal, or network
device as a rating object.
When determining the rating objects, cloud computing platforms/systems,
Internet of Things, industrial control systems, systems using mobile
interconnection technologies need to follow the relevant requirements of 5.1.2,
5.1.3, 5.1.4, 5.1.5, respectively, under the conditions of meeting the above basic
characteristics.
5.1.2 Cloud computing platform/system
In a cloud computing environment, the classified protection objects on the cloud
service client side and the cloud computing platform/system on the cloud
service provider side must be rated as separate rating objects, meanwhile the
cloud computing platform/system is divided into different rating objects
according to different service models.
For large-scale cloud computing platforms, it should divide the cloud computing
infrastructure and related auxiliary service systems into different rating objects.
5.1.3 Internet of Things
The Internet of Things mainly includes characteristic elements such as
perception, network transmission, processing applications. The above
elements need to be rated as a whole object; each element is not rated
individually.
5.1.4 Industrial control system
The industrial control system mainly includes characteristic elements such as
field acquisition/execution, field control, process control, production
management. Among them, field acquisition/execution, field control, process
control and other elements need to be rated as a whole object; each element is
not rated separately; production management elements should be rated
separately.
For large industrial control systems, they can be divided into multiple rating
objects based on factors such as system functions, responsible subjects,
control objects, manufacturers.
5.1.5 System using mobile internet technology
The system adopting mobile internet technology mainly includes mobile
terminals, mobile applications, wireless networks and other characteristic
6.2 Determine the infringed object
The infringed objects when the rating object is damaged include national
security, social order, public interest, as well as the legitimate rights and
interests of citizens, legal persons and other organizations.
Matters that infringes national security include the following:
- Affect the stability of state power and territorial sovereignty, as well as the
integrity of marine rights and interests;
- Affect the national unity, national unity and social stability;
- Affect the national socialist market economic order and cultural strength;
- Other matters affecting national security.
Matters infringi...
View full details