What is the primary objective of MLPS 2.0 (Multi-Level Protection Scheme)?

The primary objective of MLPS 2.0 is to establish a graded cybersecurity protection system for all network operators in China, ensuring security controls match the potential harm from system compromise to national security, social order, public interests, and citizens' rights. Operationalized under Article 21 of the 2017 Cybersecurity Law, it requires classification into five levels (1-5) based on impact severity, with controls defined in GB/T 22239-2019 (basics), GB/T 25070-2019 (technical), and GB/T 28448-2019 (evaluation), covering cloud, IoT, big data, and industrial systems.

Who is legally or professionally required to comply with MLPS 2.0 (Multi-Level Protection Scheme)?

All "network operators" in mainland China must comply with MLPS 2.0, defined broadly to include any entity building, operating, or using networks or information systems. This encompasses domestic enterprises, foreign multinationals with China operations, cloud providers, and critical infrastructure operators across sectors like finance and energy; virtually no organization with IT systems is exempt, with filing required via local Public Security Bureaus (PSBs).

Does MLPS 2.0 (Multi-Level Protection Scheme) require an external audit or third-party certification?

Yes, MLPS 2.0 requires external audits and third-party evaluations for systems at Level 2 and above, conducted by licensed Chinese firms per GB/T 28448-2019 scoring (typically ≥70/100 pass threshold). Level 1 relies on self-assessment; higher levels mandate PSB approval post-audit, with documentation like topology diagrams and controls verified on-site.

How often should an assessment for MLPS 2.0 (Multi-Level Protection Scheme) be performed?

Assessments under MLPS 2.0 must occur periodically based on level: biennially for Level 2, annually for Level 3, semi-annually for Level 4, and as mandated for Level 5, plus self-inspections and re-evaluations after major changes. Third-party evaluations and PSB verifications ensure ongoing compliance, with online exams and inspections possible anytime.

What are the consequences of non-compliance with MLPS 2.0 (Multi-Level Protection Scheme)?

Non-compliance with MLPS 2.0 triggers administrative fines (e.g., RMB 50,000+ as in Jiangsu hacking case, up to RMB 50 million under related data laws), operational suspensions, blacklisting, and intensified PSB inspections. Over 6,400 investigations since 2017 demonstrate enforcement, including dawn raids and license impacts for unfiled or failed systems.

Can MLPS 2.0 (Multi-Level Protection Scheme) be mapped to other international frameworks?

Yes, MLPS 2.0 controls can be mapped to frameworks like ISO 27001 and NIST CSF, aligning domains such as governance, access, and monitoring, though MLPS adds China-specific elements like data localization and PSB oversight. Organizations leverage existing ISMS for efficiency but address gaps in prescriptive grading and enforcement.

What is the first step to begin implementing MLPS 2.0 (Multi-Level Protection Scheme)?

The first step is to conduct a comprehensive inventory of grading objects (networks, systems, applications) and perform preliminary impact-based classification into Levels 1-5 using GB/T 22239-2019 matrices. This self-assessment of harm to national security, social order, and rights informs scoping, followed by expert review for Level 2+ and PSB filing within 30 days.

What is the primary objective of ISO 27017?

ISO 27017 provides cloud-specific implementation guidance for 37 ISO 27002 controls plus 7 additional cloud-focused controls (CLD.6.3.1, CLD.8.1.5, CLD.9.5.1, CLD.9.5.2, CLD.12.1.5, CLD.12.4.5, CLD.13.1.4) to address shared responsibilities, multi-tenancy, virtual machine configuration, and customer monitoring in cloud environments. Published in 2015, it extends ISO 27001 ISMS for CSPs and CSCs, clarifying roles in IaaS, PaaS, and SaaS models.

Who is legally or professionally required to comply with ISO 27017?

No organization is legally required to comply with ISO 27017, as it is a voluntary code of practice rather than a mandated regulation. Professionally, it applies to cloud service providers (CSPs) and cloud service customers (CSCs) managing cloud risks within an ISO 27001 ISMS, particularly those facing procurement demands or regulatory pressures like GDPR for cloud data handling.

Does ISO 27017 require an external audit or third-party certification?

ISO 27017 does not support standalone third-party certification or require a separate external audit. It is implemented and assessed within an ISO 27001 ISMS audit, where certification bodies evaluate the 7 CLD controls and 37 extended controls as part of the ISO 27001 scope.

How often should an assessment for ISO 27017 be performed?

ISO 27017 assessments occur as part of annual ISO 27001 surveillance audits and triennial recertification audits. Organizations must also perform ongoing risk assessments and internal reviews to ensure continuous alignment of cloud controls like virtual segregation (CLD.9.5.1) and customer monitoring (CLD.12.4.5).

What are the consequences of non-compliance with ISO 27017?

Non-compliance with ISO 27017 carries no direct legal penalties, as it is a voluntary guidance standard. Indirect consequences include failed ISO 27001 audits, loss of customer trust in cloud procurements, heightened breach risks from unaddressed multi-tenancy issues, and regulatory scrutiny under data protection laws for inadequate cloud security.

Can ISO 27017 be mapped to other international frameworks?

Yes, ISO 27017 controls can be mapped to frameworks like NIST SP 800-53 and CSA STAR for cross-compliance. Its 37 extended ISO 27002 controls and 7 CLD controls align with cloud-specific requirements in these frameworks, enabling unified evidence collection in multi-framework environments.

What is the first step to begin implementing ISO 27017?

The first step is to conduct a cloud-specific risk assessment within your ISO 27001 ISMS to identify applicable controls. Define scope for CSP/CSC responsibilities (CLD.6.3.1), update the Statement of Applicability, and map the 7 CLD controls to existing processes.

Standards Comparison

MLPS 2.0 (Multi-Level Protection Scheme) vs ISO 27017

MLPS 2.0 (Multi-Level Protection Scheme)

Mandatory

N/A

China's mandatory graded protection for network security

ISO 27017

Voluntary

2015

International code of practice for cloud security controls.

Quick Verdict

MLPS 2.0 mandates graded protection for China network operators via PSB enforcement, while ISO 27017 provides voluntary cloud guidance for global CSPs/CSCs within ISO 27001. China firms comply legally; globals enhance cloud security assurance.

Standard

MLPS 2.0 (Multi-Level Protection Scheme)

China's Multi-Level Protection Scheme 2.0

Cost

€€€€

Complexity

Medium

Implementation Time

12-18 months

Key Features

Five graded protection levels based on impact severity
Mandatory classification and PSB registration for Level 2+
Comprehensive controls for cloud, IoT, big data, ICS
Strict separation of duties and personnel vetting
Ongoing third-party evaluations and government inspections

Cloud Security

ISO 27017

ISO/IEC 27017:2015 Code of practice for cloud security

Cost

€€€

Complexity

Medium

Implementation Time

6-12 months

Key Features

Clarifies shared responsibilities between CSPs and CSCs
Introduces seven cloud-specific CLD security controls
Provides guidance for 37 ISO 27002 controls in cloud
Addresses multi-tenancy segregation and VM hardening
Enables customer monitoring of cloud service activities

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

MLPS 2.0 (Multi-Level Protection Scheme) Details

What It Is

MLPS 2.0 (Multi-Level Protection Scheme 2.0) is China's mandatory cybersecurity framework operationalizing Article 21 of the 2017 Cybersecurity Law. It requires network operators to classify systems into five protection levels based on potential harm to national security, social order, and public interests, implementing graded technical, management, and physical controls.

Key Components

Core standards: GB/T 22239-2019 (basics), GB/T 25070-2019 (technical), GB/T 28448-2019 (evaluation).
Domains: physical security, network/host protection, data security, monitoring, governance.
Extensions for cloud, IoT, big data, ICS; common controls plus level-specific requirements.
Compliance via self-assessment, expert review (Level 2+), PSB filing, periodic audits.

Why Organizations Use It

Essential for legal compliance in China, avoiding fines, inspections, blacklisting. Enhances risk management, rationalizes investments, builds regulatory trust. Supports integration with DSL/PIPL; boosts resilience and market access.

Implementation Overview

Phased: inventory/classify, gap analysis, remediate, third-party evaluation, PSB registration. Applies to all China-based networks; higher complexity/cost for Level 3+. Requires local expertise, ongoing self-inspections.

ISO 27017 Details

What It Is

ISO/IEC 27017:2015 is a code of practice providing cloud-specific guidance for information security controls. It extends ISO/IEC 27002 for cloud services (IaaS, PaaS, SaaS), clarifying shared responsibilities between CSPs and CSCs via a risk-based approach within an ISO 27001 ISMS.

Key Components

37 controls from ISO 27002 with cloud implementation guidance
7 additional CLD controls (e.g., segregation, VM hardening, asset removal)
Mirrors ISO 27002 domains: access, operations, supplier relationships
No standalone certification; integrated into ISO 27001 audits

Why Organizations Use It

Addresses cloud risks like multi-tenancy, virtualization
Meets procurement and regulatory demands (e.g., GDPR alignment)
Enhances risk management, builds stakeholder trust
Provides competitive differentiation for CSPs/CSCs

Implementation Overview

Map to existing ISO 27001 ISMS, conduct cloud risk assessments
Update SoA, implement controls, train staff
Applies globally to CSPs/CSCs of all sizes
Typical **joint audit9-12 months (annual surveillance)

Key Differences

Aspect	MLPS 2.0 (Multi-Level Protection Scheme)	ISO 27017
Scope	Classified network protection levels 1-5	Cloud-specific security controls guidance
Industry	All China network operators, broad sectors	Global CSPs and customers, all industries
Nature	Mandatory Chinese regulation, PSB enforced	Voluntary ISO code of practice
Testing	Graded third-party evaluations, annual Level 3+	Integrated into ISO 27001 audits
Penalties	Fines, shutdowns, blacklisting by PSBs	No legal penalties, certification loss

Scope

MLPS 2.0 (Multi-Level Protection Scheme)

Classified network protection levels 1-5

ISO 27017

Cloud-specific security controls guidance

Industry

MLPS 2.0 (Multi-Level Protection Scheme)

All China network operators, broad sectors

ISO 27017

Global CSPs and customers, all industries

Nature

MLPS 2.0 (Multi-Level Protection Scheme)

Mandatory Chinese regulation, PSB enforced

ISO 27017

Voluntary ISO code of practice

Testing

MLPS 2.0 (Multi-Level Protection Scheme)

Graded third-party evaluations, annual Level 3+

ISO 27017

Integrated into ISO 27001 audits

Penalties

MLPS 2.0 (Multi-Level Protection Scheme)

Fines, shutdowns, blacklisting by PSBs

ISO 27017

No legal penalties, certification loss

Frequently Asked Questions

Common questions about MLPS 2.0 (Multi-Level Protection Scheme) and ISO 27017

MLPS 2.0 (Multi-Level Protection Scheme) FAQ

ISO 27017 FAQ

You Might also be Interested in These Articles...

Beyond the Burden: How Intuitive Compliance Software Transforms Daily Workflows

Explore intuitive compliance software that automates workflows, simplifies onboarding, and reduces stress. Cut non-compliance costs 3x and boost efficiency for

From Reactive Gatekeeper to Proactive Strategist: How Compliance Software Reshapes the Compliance Professional's Day

Discover how compliance software automates monitoring, delivers real-time insights, and transforms compliance pros from reactive gatekeepers to proactive strate

ISO 27701 Standalone Certification in 2025: Debunking Myths and Navigating the New Reality

Debunk myths on ISO 27701 standalone certification post-2025. Clarify viability, accreditation bodies, ISO 27001 audit differences & procurement benefits. Guide

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Explore More Comparisons

See how MLPS 2.0 (Multi-Level Protection Scheme) and ISO 27017 compare against other standards

Other MLPS 2.0 (Multi-Level Protection Scheme) Comparisons

Other ISO 27017 Comparisons

What It Is

Key Components

Core standards: GB/T 22239-2019 (basics), GB/T 25070-2019 (technical), GB/T 28448-2019 (evaluation).

Domains: physical security, network/host protection, data security, monitoring, governance.

Extensions for cloud, IoT, big data, ICS; common controls plus level-specific requirements.

Compliance via self-assessment, expert review (Level 2+), PSB filing, periodic audits.

What It Is

Key Components

37 controls from ISO 27002 with cloud implementation guidance
7 additional CLD controls (e.g., segregation, VM hardening, asset removal)
Mirrors ISO 27002 domains: access, operations, supplier relationships
No standalone certification; integrated into ISO 27001 audits

Why Organizations Use It

Addresses cloud risks like multi-tenancy, virtualization
Meets procurement and regulatory demands (e.g., GDPR alignment)
Enhances risk management, builds stakeholder trust
Provides competitive differentiation for CSPs/CSCs

Implementation Overview

Map to existing ISO 27001 ISMS, conduct cloud risk assessments
Update SoA, implement controls, train staff
Applies globally to CSPs/CSCs of all sizes
Typical **joint audit9-12 months (annual surveillance)

Aspect

MLPS 2.0 (Multi-Level Protection Scheme)

ISO 27017

Scope

Classified network protection levels 1-5

Cloud-specific security controls guidance

Industry

All China network operators, broad sectors

Global CSPs and customers, all industries

Nature

Mandatory Chinese regulation, PSB enforced

Voluntary ISO code of practice

Testing

Graded third-party evaluations, annual Level 3+

Integrated into ISO 27001 audits

Penalties

Fines, shutdowns, blacklisting by PSBs

No legal penalties, certification loss