China’s NITSSTC (National Information Security Standardization Technical Committee) published new standards on Cybersecurity Law as draft for the solicitation of public opinion.
The new standards cover some topics that many international companies with operations in China were wrestling with in the last couple of months. As the Cybersecurity Law contains a lot of vague expressions and not clearly defined wording, it was expected that more clarification will come in 2018 in form of multiple standards, guidelines, and directives.
Once enforced, these standards will provide guidance for the risk assessment specification for information security, types of special cybersecurity products, requirements for bodies providing audit and certification of information security management systems, as well as other issues. They are open for public commenting until March 5, 2018.
The requirements for compliance with China’s Cybersecurity Law will be further clarified due to these regulations and implementation of the law in the next months. However, many Western companies are still not sure to what extent they are affected by this new law and what measures they must have implemented by today.
We recommend conducting a cyber security impact analysis and developing necessary compliance measures to all companies with operations in China.