Recently, the Ministry of Industry and Information Technology ("MIIT") has issued the Administrative Measures for the Evaluation of Industrial Control Systems' Capacity for Protecting Information Security (the "Measures"), effective from September 1, 2017.
The Measures propose to set up a national expert committee for the evaluation of industrial control systems' capacity for security protection. This committee will take charge of randomly inspecting and reviewing reports on the evaluation of industrial control systems' capacity for security protection, and put forward their suggestions and provide consultation with respect to such evaluation. Agencies undertaking the said evaluation should meet three basic requirements, such as "having an independent legal personality as a public institution". In addition, the Measures make it clear that evaluation procedures comprise the acceptance of evaluation applications, setup of a panel of professionals for the evaluation, preparation of an evaluation plan, implementation of evaluating activities on spot, feedback on on-spot evaluation, rectification made by enterprises on their own, implementation of the re-evaluation, and formation of the evaluation report. Furthermore, the Measures note that the work group for evaluation should entrust the above-said expert committee for the evaluation to perform necessary random inspections and reexaminations of evaluation reports irregularly. If anything is found to be in violation of applicable provisions or standards specified in the Measures, the enterprise concerned should be ordered to make rectifications within a prescribed time limit or go through another evaluation, and submit evaluation materials within 30 days.