Standard No.:	GB/T 28449-2018
Chinese Name:	信息安全技术 网络安全等级保护测评过程指南
English Name:	Information security technology—Testing and evaluation process guide for classified protection of cybersecurity
Professional Classification:	L80 Data encryption
ICS Classification:	35.040
Issued by:
Issued on:	2018-12-28
Implemented on:	2019-07-01
Status:	VALID
Replace:	GB/T28449-2012 Information security technology—Testing and evaluation process guide for classified protection of information system security
Language:	English
File Format:	PDF
Word Count:	30000 words
Price(USD):	900 (USD)
Delivery:	via email in 1-8 business day

1 Scope

This standard regulates the working processes of testing and evaluation for classified protection of cybersecurity (hereinafter referred to as "testing and evaluation" and “T&E”), and specifies the testing and evaluation activities and their tasks.

This standard is applicable to T&E works for classified protection of cybersecurity performed by T&E agency, and competent authority, operator and user of the rated object.

2 Normative references

The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.

GB 17859 Classified Criteria for Security Protection of Computer Information System
GB/T 22239 Information security technology—Baseline for classified protection of information system security
GB/T 25069 Information security technology—Glossary
GB/T 28448 Information security technology—Testing and evaluation requirement for classified protection of information system

3 Terms and definitions

For the purpose of this document, the terms and definitions given in GB 17859, GB 22239 and GB/T 28448 apply.

4 General about testing and evaluation

4.1 General about T&E process

The T&E work processes and tasks in this standard are based on the initial testing and evaluation of the rated object by the commissioned T&E agency. Where the self-inspection of the operator and user or the commissioned T&E agency has performed more than one testing and evaluation, the T&E agency and staff shall adapt some of their work tasks to the actual situation (see Annex A). The T&E agency shall carry out related works strictly in accordance with the requirements of the T&E works given in Annex B.

The T&E process consists of four basic activities: T&E preparation, scheme preparation, on-site testing and evaluation, and report preparation. The communication and negotiation between the parties involved in the testing and evaluation shall run through the entire T&E process. Each testing and evaluation has a defined set of tasks, as detailed in Table 1.