Introduction of the Seminar
From April 18 to 19, China National Information Security Technical Committee (TC260) convened TC meetings per the Working Groups on Standards Projects discussions and consultations. It is a periodic progress presentation by the candidates of standards developing organisations (SDOs) in response to the TC260’s Notice on Requirements for Developing the 2022 National Cybersecurity Standards.
During the two-day meeting, secretaries of six working groups (WGs) respectively held online meetings with their members discussing the standards drafts in their own fields. Those drafts were submitted by SDO candidates half a month before the meeting was convened. Specifically, three drafts were discussed in WG3, three in WG4’, nine WG5, one in WG6, nine in WG7’, and nine in SWG-BDS. For more detailed information about their drafts.
The discussion included but was not limited to a review of the standards maturity and feasibility, as well as the drafting plan. Meanwhile, members in the same working group were allowed to raise their questions and make comments for further drafting progress. Based on the outcomes of the discussion, the drafting organizations are required to revise and improve the draft, refine the implementation and application scheme, and carry out relevant research within the next 2 months.
Summary of Key Standards in the Meeting
Based on the List of Standard Priorities in Urgent Needs for Cybersecurity released by TC260 on 6 January 2022, the following is the revealed information from the meeting of six key standards.
| Name of the standards | Types | Contents | Law to support |
| Risk assessment method for data security | Newly Draft | This standard intends to clarify the method, process, assessment report formulation for data security risk assessment | Support the implementation of articles 18 and 30 of the Data Security Law on data security risk assessment. |
| Security requirements for processing of important data | Newly Draft | This standard intends to clarify the requirements for data processors regarding important data protection in the whole process of important data processing, with special requirements for data storage and use. | Support the Article 21 of the Data Security Law on requirements regarding the important data protection |
| Security requirements for processing sensitive personal information | Newly Draft | This standard intends to focus on personal information related to health care, financial accounts, whereabouts information; to clarify the security requirement for the data processors regarding the data collection, storage, use and processing, transmission and deleting; and to set special requirement regarding necessity of data collection, safety protection, data masking rules, the rules of informed consent, etc. | Support the implementation of Section 2 of the Personal Information Protection Law: sensitive personal Information processing rules |
| Security requirements for automated decision making based on personal information | Newly Draft | This standard intends to clarify the requirement for data processors regarding the data security and personal information protection in the process of application of automated decision making and other related applications. | Support the implementation of article 24 of the Personal Information Protection Law on the use of personal information for automatic decision-making requirements. |
| Security requirements for data exchange service | Revision | This standard intends to revise GB/T37932 – 2019 Information security technology – Security requirements for data transaction service and to clarify the security requirements for data transaction participants, transaction objects and transaction process. | Support the implementation of article 19 of the Data Security Law on regulating data transactions. |
