What Is China’s Cybersecurity Grading System and How Did It Evolve to 2.0?

1. Development of the Grading Protection System

The grading protection system originated from several legal documents, including the 1994 Computer Information System Security Protection Regulations , the 1995/2012 People’s Republic of China Police Law , the 2008 State Council "Three‑Decision" plan, and the 2016 Cybersecurity Law . These laws assign the Ministry of Public Security (MPS) the authority to supervise, inspect, and guide national information system security grading.

Policy directives such as the 2003 Opinion on Strengthening Information Security Assurance , the 2004 Implementation Opinions on Information Security Grading , and the 2006 Information Security Grading Management Measures further define the MPS’s supervisory role and the establishment of technical support mechanisms.

The grading system is overseen by a hierarchy of public security agencies: national (MPS Network Security Protection Bureau), provincial (Network Police Corps), municipal (Network Police Detachment), and county‑level (Network Police Brigade), each responsible for policy formulation, enforcement, and monitoring.

2. Cybersecurity Grading Standards System

Since the 2017 enactment of the Cybersecurity Law, the system entered the “2.0” era, introducing new legal, policy, standard, technical, talent, training, and assurance frameworks. All critical infrastructures—including cloud platforms, big‑data centers, IoT, industrial control systems, and public service platforms—are now subject to grading.

The core standard is GB/T22239‑2019 Cybersecurity Grading Basic Requirements , which defines universal and extended security requirements. Additional standards include:

GB/T25058‑2020 Cybersecurity Grading Implementation Guide

GB/T22240‑2020 Grading Classification Guide

GB/T25070‑2019 Design Technical Requirements

GB/T28449‑2018 Assessment Process Guide

These standards address both generic security controls (physical environment, communication network, boundary, computing environment, management center) and management controls (policy, organization, personnel, construction, operation).

Extended requirements cover emerging technologies: cloud computing, mobile internet, IoT, and industrial control systems, each with specific security measures.

3. Cybersecurity Grading Work Process

The grading workflow consists of six main steps: classification, filing, system construction/rectification, assessment, and periodic supervisory inspection. A flow diagram (see image) illustrates the sequence.

Classification Levels

Information systems are assigned one of five protection levels based on importance and potential impact of compromise. Levels dictate the depth of security controls required.

Filing Requirements

Systems classified at level 2 or higher must submit a two‑copy “Information System Security Grading Filing Form” along with supporting documentation. Level 3 and above require additional material after rectification and assessment.

The filing form includes sections on:

Basic information of the organization

Details of the information system

Classification results

Materials submitted for level 3+ systems

Construction and Rectification

After classification, the system must achieve the required protection capabilities, such as unified security policies, intrusion detection, incident response, rapid recovery, and centralized management of resources and users.

Assessment and Supervision

Assessment agencies evaluate compliance with the grading standards. Frequency: level 3 systems are assessed annually; level 2 systems are recommended biennially. Supervisory departments conduct regular inspections to ensure ongoing compliance.

References:

Computer & Network Security, “Interpretation of the Grading 2.0 Standard System” – grading guide diagrams

WeChat articles: https://mp.weixin.qq.com/s/AIMoRo74xzuYnUsXne1ktw