State Administration of market supervision and state Internet Information Office: carry out data security management certification

State Administration of market supervision
National Internet Information Office
Male   Sue
2022 In the first 18 Number

Announcement on carrying out data security management certification

according to 《 Network security law of the people's Republic of China 》《 Data security law of the people's Republic of China 》《 Personal information protection law of the people's Republic of China 》《 Regulations of the people's Republic of China on certification and accreditation 》 Relevant regulations , State Administration of market supervision 、 The state Internet Information Office decided to carry out data security management certification , Encourage network operators to standardize network data processing activities through authentication , Strengthen network data security protection . A certification body engaged in data security management certification activities shall be established according to law , And in accordance with the 《 Implementation rules for data security management certification 》（ See the attachment ） Implement certification .
Notice hereby .
The attachment ： Implementation rules for data security management certification  

State Administration of market supervision         National Internet Information Office
2022 year 6 month 5 Japan

The attachment

Implementation rules for data security management certification

1 Scope of application
These rules are based on 《 Regulations of the people's Republic of China on certification and accreditation 》 To develop , It stipulates that network data collection shall be carried out for network operators 、 Storage 、 Use 、 machining 、 transmission 、 Provide 、 Basic principles and requirements for certification of public and other processing activities .

2 Certification basis

GB/T 41479《 Information security technology Security requirements for network data processing 》 And relevant standards and specifications .
In principle, the above standards shall be implemented in accordance with the latest version issued by the National Standardization Administration Department .

3 Authentication mode

The authentication mode of data security management authentication is ：
Technical verification + On site audit + After obtaining the certificate, the supervisor

4 Certification implementation procedures

4.1 Certification Commission

The certification body shall specify the requirements for the entrusted certification materials , Including but not limited to the basic materials of the certification client 、 Power of attorney for certification 、 Relevant supporting documents, etc .
The certification client shall submit the certification entrustment materials as required by the certification authority , The certification body shall timely feed back whether it accepts the certification entrustment after reviewing the certification entrustment materials .
The certification body shall determine the certification scheme according to the certification entrustment materials , Including data type and quantity 、 The range of data processing activities involved 、 Information of technical verification organization, etc , And notify the certification client .

4.2 Technical verification

The technical verification institution shall carry out technical verification in accordance with the certification scheme , And issue the technical verification report to the certification authority and the certification client .

4.3 On site audit

The certification body conducts on-site audit , And issue the on-site audit report to the certification client .

4.4 Evaluation and approval of certification results

The certification authority shall, according to the certification entrustment materials 、 Technical validation report 、 Conduct comprehensive evaluation on site audit report and other relevant information , Make a certification decision . For those meeting the certification requirements , Issue certification certificate ; For those who do not meet the certification requirements temporarily , The certification client may be required to rectify within a time limit , Those still do not meet the requirements after rectification , Notify the certification client in writing to terminate the certification .
If the certification client is found 、 Network operators cheat 、 concealing information 、 Intentional violation of certification requirements and other behaviors that seriously affect the implementation of certification , Certification failed .

4.5 After obtaining the certificate, the supervisor

4.5.1 Frequency of supervision

The certification body shall, within the period of validity of the certification , Ongoing monitoring of certified network operators , And reasonably determine the supervision frequency .

4.5.2 Contents of supervision

The certification body shall take appropriate measures to implement post certification supervision , Ensure that certified network operators continue to meet certification requirements .

4.5.3 Evaluation of supervision results after certification

The certification body shall make a comprehensive evaluation on the supervision conclusion and other relevant information after obtaining the certificate , Passed the evaluation , The certificate of certification can be maintained ; Not passed , The certification authority shall, according to the corresponding circumstances, suspend or even revoke the certification certificate .

4.6 Certification time limit

The certification body shall clearly stipulate the time limit for each link of certification , And ensure that relevant work is completed within the time limit . The certification client shall actively cooperate with the certification activities .

5 Certification certificate and certification mark

5.1 Certification certificate

5.1.1 Maintenance of certification  

The certificate is valid for 3 year . Within the validity period , Pass the post certification supervision of the certification body , Maintain the validity of the certification .
When the certificate expires, it needs to be continued , The certification client shall, before the expiration of the validity period 6 Submit the Certification Commission within months . The certification body shall adopt the method of post certification supervision , New certificates shall be issued for those who meet the certification requirements .

5.1.2 Change of certificate

Within the validity period of the certificate , If the name of the certified network operator 、 Registered address , Or certification requirements 、 When the scope of certification changes , The certification client shall propose to the certification authority to change the authorization . The certification authority shall, according to the contents of the change , Evaluate the change of entrustment materials , Determine if changes can be approved . If technical verification and / Or on-site audit , Technical verification and verification shall also be carried out before the change is approved / Or on-site audit .

5.1.3 Cancellation of authentication certificate 、 Suspension and revocation

When the certified network operator no longer meets the certification requirements , The certification authority shall suspend or even revoke the certification certificate in time . The certification client may apply for suspension of the certification certificate within the validity period of the certification certificate 、 Cancellation .
The certification body shall adopt appropriate methods to publicize the suspended 、 Cancelled and revoked network operator certification .

5.2 Certification mark

“ABCD” Identification information on behalf of the certification authority . 
5.3 Use of certification certificates and certification marks
Within the validity period of the certificate , The certified network operator shall correctly use the certification certificate and certification mark in advertising and other publicity in accordance with relevant provisions , Do not mislead the public .

6 Certification Implementation Rules

The certification body shall, in accordance with the relevant requirements of these rules , Refine the certification implementation procedures , Make science 、 reasonable 、 Operational Certification Implementation Rules , And publicize and implement .

7 Certification responsibility

The certification body shall review the on-site audit conclusion 、 The certification conclusion is responsible for . 
The technical verification institution shall be responsible for the conclusion of the technical verification .
The certification client shall be responsible for the authenticity of the certification entrustment materials 、 Legitimacy is responsible for .