Main reference standards

of the assessment adipiscing

Security capability requirements of cloud

computing services (GB/T 31168-2014)

Security guide of cloud computing

services (GB/T 31167-2014)

Tips

Security Capability Requirements of Cloud Computing Services

impose several requirements for system development and supply

chain security, system and communication protection, access

control, configuration management, maintenance, emergency

response and disaster recovery, audit, risk assessment and

continuous monitoring, security organization and personnel,

physical and environmental security.

Application of the assessment

Date of the application for assessment

From September 1, 2019

Application materials

A completed application form

A report on the business

continuity and security of the

service supply chain

A report on the possibility and

ease of transferring customers’

data

A security plan of the cloud

computing service system

Tips

The format of the application materials can be

downloaded from http://www.cac.gov.cn.

Some cloud computing service platforms have already Some cloud computing service platforms have already

passed the cyber security review by party and

government organizations. These platforms are

regarded as having passed the cloud computing

service security assessment, so they do not need to

apply again.

Assessment process

Application

Acceptance

Assessment by professional

technical organizations

Comprehensive evaluation by

expert groups for cloud

computing service security

Review by cloud computing

services security assessment

coordination mechanism

Approval by Cyberspace

Administration of China (CAC)

Release of assessment

results

Continuous

Monitoring

The results of the assessment will be

released on http://www.cac.gov.cn

by Cybersecurity Coordination

Bureau of Cyberspace

Administration of China.

The results are valid for 3 years.

How to protect trade secrets and intellectual property rights

of cloud service providers during the security assessment?

In the process of the security assessment, the organizations and

people involved undertake confidentiality obligations to not

disclose confidential materials submitted by the cloud service

providers and those obtained from the security assessment.

A cloud platform management

operator can report to CAC or relevant

departments if it finds that the relevant

institutions and personnel fail to

assume the confidentiality obligation.

How to get more information about cloud computing

service security assessment?

Send your questions toyunpinggu@cac.gov.cn

Call 010-55635861

Measures for Cloud Computing Services

Security Assessment

Quick Guide for

Editor: CHEN WuyangEnglish Translation by SESEC Designer: LIU Xiaolong

Scan the QR code

to follow the Wechat Official Account of CAC

Cyberspace Administration of China