What is the primary objective of **ISO 26000**?

**ISO 26000 provides international guidance on social responsibility to help organizations contribute to sustainable development through transparent and ethical behavior.** Published in November 2010 and confirmed current in 2021, it defines social responsibility as an organization's accountability for its impacts on society and the environment. The standard outlines **seven principles** (accountability, transparency, ethical behavior, respect for stakeholder interests, rule of law, international norms, human rights) and **seven core subjects** (organizational governance, human rights, labor practices, environment, fair operating practices, consumer issues, community involvement/development) for holistic integration into governance, strategy, and operations.

Who is legally or professionally required to comply with **ISO 26000**?

**No organization is legally required to comply with ISO 26000, as it is voluntary guidance applicable to all types regardless of size, location, or sector.** It targets private, public, and non-profit entities, including SMEs, multinationals, hospitals, schools, and charities. Professional adoption is driven by stakeholder expectations, investor demands, and procurement criteria, but lacks enforceable mandates or thresholds like employee count or revenue.

Does **ISO 26000** require an external audit or third-party certification?

**ISO 26000 explicitly prohibits external audits or third-party certification, as it contains no requirements and is guidance only.** Clause 1 states certification claims would misrepresent its intent. Credibility relies on self-assessment, stakeholder engagement, transparent reporting (including shortfalls), and alignment with frameworks like GRI, using ISO's Communication Protocol for claims such as "used ISO 26000 as a guide."

How often should an assessment for **ISO 26000** be performed?

**ISO 26000 recommends periodic self-assessments at appropriate intervals aligned with organizational context and stakeholder needs, without specified frequency.** Organizations should integrate reviews into management cycles (e.g., annual materiality assessments, management reviews), reporting objectives, achievements, shortfalls, and improvement plans to ensure continuous relevance across core subjects.

What are the consequences of non-compliance with **ISO 26000**?

**There are no direct legal consequences for non-compliance with ISO 26000, as it imposes no requirements.** Indirect risks include reputational damage, lost stakeholder trust, procurement exclusion, investor scrutiny, and heightened vulnerability to related regulations on human rights or environment, stemming from unaddressed impacts in its core subjects.

Can **ISO 26000** be mapped to other international frameworks?

**Yes, ISO 26000 aligns with frameworks like OECD Guidelines, UN Global Compact, GRI, and UN SDGs through special agreements and linkage documents.** It complements them by providing principles and core subjects for SR integration, supporting ESG materiality, human rights due diligence, and reporting without replacing certifiable standards.

What is the first step to begin implementing **ISO 26000**?

**The first step is recognizing social responsibility and engaging stakeholders (Clause 5) to identify relevant issues across the seven core subjects.** Map organizational impacts, conduct stakeholder dialogue for prioritization, and assess context-specific relevance and significance before integration.

What is the primary objective of **MLPS 2.0 (Multi-Level Protection Scheme)**?

**The primary objective of MLPS 2.0 is to establish a graded cybersecurity protection system ensuring security controls match the potential harm from system compromise to national security, social order, and public interests.** It classifies information systems into five levels (1-5) based on impact severity, mandating commensurate technical, management, physical, and personnel controls per GB/T 22239-2020 standards. This framework operationalizes Article 21 of China's Cybersecurity Law for all network operators.

Who is legally or professionally required to comply with **MLPS 2.0 (Multi-Level Protection Scheme)**?

**All network operators in mainland China, including domestic firms, foreign-invested enterprises, and multinationals with local systems, must comply with MLPS 2.0.** Virtually every entity operating networks—covering IT, cloud, IoT, big data, and industrial control systems—is obligated under the 2017 Cybersecurity Law. Critical sectors like finance, energy, and telecom often classify at Level 3+.

Does **MLPS 2.0 (Multi-Level Protection Scheme)** require an external audit or third-party certification?

**Yes, MLPS 2.0 requires external security reviews by licensed Chinese firms for Level 2+ systems, with PSB approval and a minimum score of 75/100.** Level 1 uses self-assessment; Level 2+ mandates third-party audits covering technical, management, and physical controls per GB/T 28448-2019, followed by formal certification filing.

How often should an assessment for **MLPS 2.0 (Multi-Level Protection Scheme)** be performed?

**Assessments under MLPS 2.0 must occur periodically: biennially for Level 2, annually for Level 3, semi-annually for Level 4, and as mandated for Level 5.** Re-evaluations are also required after major changes like architecture updates. Self-inspections are ongoing for all levels.

What are the consequences of non-compliance with **MLPS 2.0 (Multi-Level Protection Scheme)**?

**Non-compliance with MLPS 2.0 risks fines up to 100,000 yuan, operational suspensions, system shutdowns, and intensified PSB inspections.** Enforcement since 2019 links certification to business license renewals; severe cases involve license revocation or criminal liability.

Can **MLPS 2.0 (Multi-Level Protection Scheme)** be mapped to other international frameworks?

**Yes, MLPS 2.0 control domains align with ISO 27001 Annex A and NIST CSF categories like organizational, physical, and technological controls.** Organizations use Statements of Applicability and risk treatment plans to demonstrate coverage, though MLPS adds prescriptive grading and PSB oversight.

ISO 26000 vs MLPS 2.0 (Multi-Level Protection Scheme)

Standards Comparison

ISO 26000

Voluntary

2010

International guidance for social responsibility integration

MLPS 2.0 (Multi-Level Protection Scheme)

Mandatory

N/A

China's mandatory graded cybersecurity protection framework

Quick Verdict

ISO 26000 offers voluntary global guidance on social responsibility for all organizations, while MLPS 2.0 mandates cybersecurity classification and controls for Chinese networks. Companies adopt ISO 26000 for ethical leadership; MLPS for legal compliance.

Social Responsibility

ISO 26000

ISO 26000:2010 Guidance on social responsibility

Cost

€€€

Complexity

High

Implementation Time

12-18 months

Key Features

Non-certifiable guidance avoiding certification burdens
Seven principles underpinning all SR decisions
Seven core subjects for holistic SR coverage
Stakeholder engagement drives relevance and prioritization
Integrates with existing ISO management systems

Standard

MLPS 2.0 (Multi-Level Protection Scheme)

Multi-Level Protection Scheme 2.0

Cost

€€€€

Complexity

Medium

Implementation Time

12-18 months

Key Features

Five-level impact-based system classification
Mandatory PSB registration for Level 2+ systems
Graded technical controls for cloud and IoT
Third-party audits with 75/100 pass score
Ongoing governance and incident reporting

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

ISO 26000 Details

What It Is

ISO 26000:2010 is a non-certifiable international guidance standard on social responsibility (SR). It provides a comprehensive framework applicable to all organizations, defining SR and offering principles-based guidance for assessing impacts, engaging stakeholders, and integrating SR holistically. Its approach emphasizes context-specific prioritization over rigid requirements.

Key Components

**Seven principlesAccountability, transparency, ethical behavior, stakeholder respect, rule of law, international norms, human rights.
**Seven core subjectsOrganizational governance, human rights, labor practices, environment, fair operating practices, consumer issues, community involvement.
Built on multi-stakeholder consensus; no auditable controls, focuses on guidance and integration.
Explicitly rejects certification, promotes self-assessment and transparent reporting.

Why Organizations Use It

Enhances sustainability commitment, risk management, and stakeholder trust without certification costs. Aligns with SDGs, OECD, GRI; mitigates legal/reputational risks; drives resilience, efficiency, talent retention, and market access.

Implementation Overview

Phased approach: materiality assessment, stakeholder engagement, policy integration, training, KPIs, reporting. Suits all sizes/sectors; integrates with ISO 9001/14001/45001; no audits required, uses PDCA for continuous improvement.

MLPS 2.0 (Multi-Level Protection Scheme) Details

What It Is

MLPS 2.0 (Multi-Level Protection Scheme 2.0) is China's legally mandated cybersecurity framework under the 2017 Cybersecurity Law. It requires network operators to classify systems into five protection levels based on potential impact to national security, social order, and public interests, implementing graded technical, governance, and organizational controls.

Key Components

Core domains: physical security, network protection, data security, access control, monitoring, personnel management.
Standards like GB/T 22239-2019, GB/T 25070-2019 define baselines, extended for cloud, IoT, big data.
Five levels with escalating requirements; Level 2+ mandates third-party audits (75/100 score) and PSB approval.

Why Organizations Use It

Mandatory for China operations to avoid fines, suspensions.
Enhances resilience, aligns with data laws; builds regulator trust.
Competitive edge for market access, vendor contracts.

Implementation Overview

Phased: classify, gap analysis, remediate, audit, file with PSB.
Applies to all sizes in China; higher costs/audits for Level 3+. (178 words)

Key Differences

Aspect	ISO 26000	MLPS 2.0 (Multi-Level Protection Scheme)
Scope	Social responsibility across 7 core subjects	Cybersecurity for networks and systems
Industry	All organizations globally	Network operators in China
Nature	Voluntary guidance, non-certifiable	Mandatory regulation enforced by PSBs
Testing	Self-assessment, stakeholder engagement	Third-party audits, PSB approval
Penalties	No legal penalties	Fines, operational suspension