What is the primary objective of **MLPS 2.0 (Multi-Level Protection Scheme)**?

**The primary objective of MLPS 2.0 is to establish a graded cybersecurity protection system for all network operators in China, ensuring security controls match the potential harm from system compromise to national security, social order, public interests, and citizens' rights.** Operationalized under Article 21 of the 2017 Cybersecurity Law, it requires classification into five levels (1-5) based on impact severity, with controls defined in GB/T 22239-2019 (basics), GB/T 25070-2019 (technical), and GB/T 28448-2019 (evaluation), covering cloud, IoT, big data, and industrial systems.

Who is legally or professionally required to comply with **MLPS 2.0 (Multi-Level Protection Scheme)**?

**All "network operators" in mainland China must comply with MLPS 2.0, defined broadly to include any entity building, operating, or using networks or information systems.** This encompasses domestic enterprises, foreign multinationals with China operations, cloud providers, and critical infrastructure operators across sectors like finance and energy; virtually no organization with IT systems is exempt, with filing required via local Public Security Bureaus (PSBs).

Does **MLPS 2.0 (Multi-Level Protection Scheme)** require an external audit or third-party certification?

**Yes, MLPS 2.0 requires external audits and third-party evaluations for systems at Level 2 and above, conducted by licensed Chinese firms per GB/T 28448-2019 scoring (typically ≥75/100 pass threshold).** Level 1 relies on self-assessment; higher levels mandate PSB approval post-audit, with documentation like topology diagrams and controls verified on-site.

How often should an assessment for **MLPS 2.0 (Multi-Level Protection Scheme)** be performed?

**Assessments under MLPS 2.0 must occur periodically based on level: biennially for Level 2, annually for Level 3, semi-annually for Level 4, and as mandated for Level 5, plus self-inspections and re-evaluations after major changes.** Third-party evaluations and PSB verifications ensure ongoing compliance, with online exams and inspections possible anytime.

What are the consequences of non-compliance with **MLPS 2.0 (Multi-Level Protection Scheme)**?

**Non-compliance with MLPS 2.0 triggers administrative fines (e.g., RMB 50,000+ as in Jiangsu hacking case, up to RMB 223 million in banking breaches), operational suspensions, blacklisting, and intensified PSB inspections.** Over 6,400 investigations since 2017 demonstrate enforcement, including dawn raids and license impacts for unfiled or failed systems.

Can **MLPS 2.0 (Multi-Level Protection Scheme)** be mapped to other international frameworks?

**Yes, MLPS 2.0 controls can be mapped to frameworks like ISO 27001 and NIST CSF, aligning domains such as governance, access, and monitoring, though MLPS adds China-specific elements like data localization and PSB oversight.** Organizations leverage existing ISMS for efficiency but address gaps in prescriptive grading and enforcement.

What is the first step to begin implementing **MLPS 2.0 (Multi-Level Protection Scheme)**?

**The first step is to conduct a comprehensive inventory of grading objects (networks, systems, applications) and perform preliminary impact-based classification into Levels 1-5 using GB/T 22239-2019 matrices.** This self-assessment of harm to national security, social order, and rights informs scoping, followed by expert review for Level 2+ and PSB filing within 30 days.

What is the primary objective of **ISO 27017**?

**ISO 27017 provides cloud-specific implementation guidance for 37 ISO 27002 controls plus 7 additional cloud-focused controls (CLD.6.3.1, CLD.8.1.5, CLD.9.5.1, CLD.9.5.2, CLD.12.1.5, CLD.12.4.5, CLD.13.1.4) to address shared responsibilities, multi-tenancy, virtual machine configuration, and customer monitoring in cloud environments.** Published in 2015, it extends ISO 27001 ISMS for CSPs and CSCs, clarifying roles in IaaS, PaaS, and SaaS models.

Who is legally or professionally required to comply with **ISO 27017**?

**No organization is legally required to comply with ISO 27017, as it is a voluntary code of practice rather than a mandated regulation.** Professionally, it applies to **cloud service providers (CSPs)** and **cloud service customers (CSCs)** managing cloud risks within an ISO 27001 ISMS, particularly those facing procurement demands or regulatory pressures like GDPR for cloud data handling.

Does **ISO 27017** require an external audit or third-party certification?

**ISO 27017 does not support standalone third-party certification or require a separate external audit.** It is implemented and assessed within an **ISO 27001 ISMS audit**, where certification bodies evaluate the 7 CLD controls and 37 extended controls as part of the ISO 27001 scope.

How often should an assessment for **ISO 27017** be performed?

**ISO 27017 assessments occur as part of annual ISO 27001 surveillance audits and triennial recertification audits.** Organizations must also perform **ongoing risk assessments** and internal reviews to ensure continuous alignment of cloud controls like virtual segregation (CLD.9.5.1) and customer monitoring (CLD.12.4.5).

What are the consequences of non-compliance with **ISO 27017**?

**Non-compliance with ISO 27017 carries no direct legal penalties, as it is a voluntary guidance standard.** Indirect consequences include failed ISO 27001 audits, loss of customer trust in cloud procurements, heightened breach risks from unaddressed multi-tenancy issues, and regulatory scrutiny under data protection laws for inadequate cloud security.

Can **ISO 27017** be mapped to other international frameworks?

**Yes, ISO 27017 controls can be mapped to frameworks like NIST SP 800-53 and CSA STAR for cross-compliance.** Its 37 extended ISO 27002 controls and 7 CLD controls align with cloud-specific requirements in these frameworks, enabling unified evidence collection in multi-framework environments.

What is the first step to begin implementing **ISO 27017**?

**The first step is to conduct a cloud-specific risk assessment within your ISO 27001 ISMS to identify applicable controls.** Define scope for CSP/CSC responsibilities (CLD.6.3.1), update the Statement of Applicability, and map the 7 CLD controls to existing processes.

MLPS 2.0 (Multi-Level Protection Scheme) vs ISO 27017

Standards Comparison

MLPS 2.0 (Multi-Level Protection Scheme)

Mandatory

N/A

China's mandatory graded protection for network security

ISO 27017

Voluntary

2015

International code of practice for cloud security controls.

Quick Verdict

MLPS 2.0 mandates graded protection for China network operators via PSB enforcement, while ISO 27017 provides voluntary cloud guidance for global CSPs/CSCs within ISO 27001. China firms comply legally; globals enhance cloud security assurance.

Standard

MLPS 2.0 (Multi-Level Protection Scheme)

China's Multi-Level Protection Scheme 2.0

Cost

€€€€

Complexity

Medium

Implementation Time

12-18 months

Key Features

Five graded protection levels based on impact severity
Mandatory classification and PSB registration for Level 2+
Comprehensive controls for cloud, IoT, big data, ICS
Strict separation of duties and personnel vetting
Ongoing third-party evaluations and government inspections

Cloud Security

ISO 27017

ISO/IEC 27017:2015 Code of practice for cloud security

Cost

€€€

Complexity

Medium

Implementation Time

6-12 months

Key Features

Clarifies shared responsibilities between CSPs and CSCs
Introduces seven cloud-specific CLD security controls
Provides guidance for 37 ISO 27002 controls in cloud
Addresses multi-tenancy segregation and VM hardening
Enables customer monitoring of cloud service activities

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

MLPS 2.0 (Multi-Level Protection Scheme) Details

What It Is

MLPS 2.0 (Multi-Level Protection Scheme 2.0) is China's mandatory cybersecurity framework operationalizing Article 21 of the 2017 Cybersecurity Law. It requires network operators to classify systems into five protection levels based on potential harm to national security, social order, and public interests, implementing graded technical, management, and physical controls.

Key Components

Core standards: GB/T 22239-2019 (basics), GB/T 25070-2019 (technical), GB/T 28448-2019 (evaluation).
Domains: physical security, network/host protection, data security, monitoring, governance.
Extensions for cloud, IoT, big data, ICS; common controls plus level-specific requirements.
Compliance via self-assessment, expert review (Level 2+), PSB filing, periodic audits.

Why Organizations Use It

Essential for legal compliance in China, avoiding fines, inspections, blacklisting. Enhances risk management, rationalizes investments, builds regulatory trust. Supports integration with DSL/PIPL; boosts resilience and market access.

Implementation Overview

Phased: inventory/classify, gap analysis, remediate, third-party evaluation, PSB registration. Applies to all China-based networks; higher complexity/cost for Level 3+. Requires local expertise, ongoing self-inspections.

ISO 27017 Details

What It Is

ISO/IEC 27017:2015 is a code of practice providing cloud-specific guidance for information security controls. It extends ISO/IEC 27002 for cloud services (IaaS, PaaS, SaaS), clarifying shared responsibilities between CSPs and CSCs via a risk-based approach within an ISO 27001 ISMS.

Key Components

37 controls from ISO 27002 with cloud implementation guidance
7 additional CLD controls (e.g., segregation, VM hardening, asset removal)
Mirrors ISO 27002 domains: access, operations, supplier relationships
No standalone certification; integrated into ISO 27001 audits

Why Organizations Use It

Addresses cloud risks like multi-tenancy, virtualization
Meets procurement and regulatory demands (e.g., GDPR alignment)
Enhances risk management, builds stakeholder trust
Provides competitive differentiation for CSPs/CSCs

Implementation Overview

Map to existing ISO 27001 ISMS, conduct cloud risk assessments
Update SoA, implement controls, train staff
Applies globally to CSPs/CSCs of all sizes
Typical **joint audit9-12 months (annual surveillance)