How China Pacific Insurance Earned Dual International & Domestic DevSecOps Certifications

Background

On May 29, 2024, China’s Central Cyberspace Administration, State Administration for Market Regulation, and Ministry of Industry and Information Technology released the Information Standard Construction Action Plan (2024‑2027) , emphasizing the internationalization of IT standards and cooperation with bodies such as ISO, IEC, and ITU.

The China Academy of Information and Communications (CAICT) launched a synchronized assessment based on the ITU DevOps international standard and the domestic DevOps standard, enabling mutual recognition of standards.

Project Overview

China Pacific Insurance (Group) Co., Ltd. participated in the assessment with its “Group 2015 E‑Commerce Platform – Safe Box” project. The project passed the ITU DevOps international standard assessment and the domestic DevSecOps security delivery level‑2 assessment, demonstrating advanced domestic capability.

Interview Highlights

Q: Please introduce your company and the project. A: China Pacific Insurance is a leading integrated insurance group, part of the Fortune Global 500. The Safe Box platform has been stable for nine years, supporting PC and mobile sites, WeChat, and the APP, providing unified policy and claim queries for millions of users.

Q: What motivated the participation in the DevSecOps assessment? A: The company’s mission is to be a responsible insurer, which includes responsible technology. Demonstrating strong security capabilities builds customer confidence and meets increasing regulatory expectations for financial‑sector cyber resilience.

Q: What benefits did the assessment bring? A: It offered an objective benchmark against industry best practices, identified maturity gaps, and drove systematic improvements across the entire application security lifecycle—from requirements to deployment.

Q: What are the key cultural, process, and technical practices? A: Culturally, staff undergo mandatory security training and certification. Process‑wise, the “111+10” security requirement set is applied at each development stage. Technically, a comprehensive toolchain integrates security checks into CI/CD pipelines, and continuous penetration testing is conducted via a competitive “arena” model.

Q: What challenges were encountered? A: Tight timelines coinciding with national cyber‑defense drills and cross‑regional team coordination required strong collaboration, but the team successfully delivered on schedule.

Q: What are the next steps? A: China Pacific plans to extend DevSecOps assessments to both development and operation processes, continuously update its security knowledge base, and deepen security‑by‑design practices through the new “Digital Security Operations” initiative.

Key Outcomes

The assessment resulted in measurable improvements, illustrated in the accompanying charts (see images).