What is the primary objective of **MLPS 2.0 (Multi-Level Protection Scheme)**?

**The primary objective of MLPS 2.0 is to establish a graded cybersecurity protection system ensuring security controls match the potential harm from system compromise to national security, social order, and public interests.** It classifies networks into five levels (1-5) based on impact severity, mandating technical, management, physical, and personnel controls via standards like GB/T 22239-2019, with common baselines for all levels and extensions for cloud, IoT, and big data.

Who is legally or professionally required to comply with **MLPS 2.0 (Multi-Level Protection Scheme)**?

**All network operators in mainland China must comply with MLPS 2.0 under Article 21 of the 2017 Cybersecurity Law.** This includes domestic enterprises, foreign-invested firms, cloud providers, and operators of IT, OT, IoT, or big data systems; critical sectors like finance and energy often classify at Level 3+.

Does **MLPS 2.0 (Multi-Level Protection Scheme)** require an external audit or third-party certification?

**Yes, MLPS 2.0 requires external security reviews by licensed Chinese firms for Level 2+ systems, with PSB approval and a minimum score of 75/100.** Level 1 needs only self-assessment; higher levels demand formal certification, documentation submission, and periodic re-evaluations.

How often should an assessment for **MLPS 2.0 (Multi-Level Protection Scheme)** be performed?

**Assessments under MLPS 2.0 must occur biennially for Level 2, annually for Level 3, semi-annually for Level 4, and as mandated for Level 5.** Re-evaluations are also required after major changes; self-inspections apply continuously across all levels.

What are the consequences of non-compliance with **MLPS 2.0 (Multi-Level Protection Scheme)**?

**Non-compliance with MLPS 2.0 results in fines up to 100,000 yuan, operational suspensions, system shutdowns, and intensified PSB inspections.** Enforcement ties to business license renewals; severe cases involve blacklisting or criminal liability.

An **MLPS 2.0 (Multi-Level Protection Scheme)** be mapped to other international frameworks?

**Yes, MLPS 2.0 control domains map closely to ISO 27001 Annex A and NIST CSF categories.** Organizational, physical, and technical controls align, enabling gap analysis via Statement of Applicability, though MLPS adds prescriptive grading and PSB oversight.

What is the first step to begin implementing **MLPS 2.0 (Multi-Level Protection Scheme)**?

**The first step is conducting a provisional self-assessment to classify systems into Levels 1-5 based on impact to national security and public interests.** Inventory assets, document rationale per GB/T 22239-2020, then file with local PSB within 30 days for Level 2+.

What is the primary objective of **ISO 28000**?

**ISO 28000 specifies requirements for establishing, implementing, maintaining, and continually improving a security management system (SMS) for the supply chain.** The 2022 edition provides a risk-based framework to identify, assess, and treat security risks across supply chains, protecting people, assets, goods, infrastructure, and information through PDCA cycles, leadership commitment, operational controls, performance evaluation, and continual improvement.

Who is legally or professionally required to comply with **ISO 28000**?

**No organizations are legally required to comply with ISO 28000, as it is a voluntary international standard.** Professionally, it applies to any organization managing supply chain security, including logistics, transportation, manufacturing, retail, pharmaceuticals, energy, ports, freight forwarders, and 3PL/4PL providers, from micro-enterprises to multinationals, driven by contracts, customs programs, tenders, or risk priorities.

Oes **ISO 28000** require an external audit or third-party certification?

**ISO 28000 does not require external audit or third-party certification, but supports conformity verification through internal or external audits.** Certification follows ISO 28003 requirements for certification bodies, typically via accredited bodies like ANAB, involving Stage 1 (readiness) and Stage 2 (effectiveness) audits, with 3-year validity and annual surveillance audits.

How often should an assessment for **ISO 28000** be performed?

**ISO 28000 requires risk assessments to be maintained ongoing, with internal audits at planned intervals based on risk, results, and changes.** Management reviews occur at planned intervals, typically annually; refresh risk assessments annually or upon major supply chain changes, supported by continual monitoring of KPIs like incident rates and supplier controls.

What are the consequences of non-compliance with **ISO 28000**?

**Non-compliance with ISO 28000 carries no direct legal penalties, as it is voluntary.** Consequences include indirect risks such as operational disruptions from theft/sabotage, contract losses, higher insurance premiums, denied market access, reputational damage, and regulatory scrutiny in programs requiring security credentials.

An **ISO 28000** be mapped to other international frameworks?

**Yes, ISO 28000:2022 aligns with the High Level Structure (HLS) for easy mapping to other ISO management systems.** Its PDCA and clause structure (4-10) integrate with standards sharing HLS, enabling unified risk registers, audits, and reviews while focusing on supply chain security risks.

What is the first step to begin implementing **ISO 28000**?

**The first step is executive decision and scoping: secure sponsorship, define SMS boundaries, map supply chains, and charter the program.** Appoint a Senior Responsible Owner, conduct initial risk exposure briefing, and produce a project charter with timeline, resources, and communications plan.

MLPS 2.0 (Multi-Level Protection Scheme) vs ISO 28000

Standards Comparison

MLPS 2.0 (Multi-Level Protection Scheme)

Mandatory

2019

China's mandatory graded cybersecurity protection regime

ISO 28000

Voluntary

2022

International standard for supply chain security management systems

Quick Verdict

MLPS 2.0 mandates graded cybersecurity for China's networks via PSB enforcement, while ISO 28000 offers voluntary supply chain security management globally. China firms adopt MLPS for legal compliance; global firms choose ISO for resilience and certification.

Cybersecurity

MLPS 2.0 (Multi-Level Protection Scheme)

Multi-Level Protection Scheme 2.0 (MLPS 2.0)

Cost

€€€€

Complexity

Medium

Implementation Time

12-18 months

Key Features

Five-level impact-based classification of systems
Mandatory PSB registration and approval Level 2+
Third-party audits with 75/100 passing score
Extended controls for cloud IoT ICS big data
Law enforcement oversight by Public Security Bureaus

Supply Chain Security

ISO 28000

ISO 28000:2022 Security management systems Requirements

Cost

€€€€

Complexity

High

Implementation Time

12-18 months

Key Features

Risk-based supply chain security assessment and treatment
Leadership commitment and security policy requirements
Supplier and third-party governance controls
Incident response and recovery planning
PDCA cycle for continual improvement

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

MLPS 2.0 (Multi-Level Protection Scheme) Details

What It Is

MLPS 2.0 (Multi-Level Protection Scheme 2.0) is China's legally enforceable regulatory framework for hierarchical cybersecurity protection. Mandated by Article 21 of the 2017 Cybersecurity Law, it requires all network operators to classify systems into five protection levels based on potential harm to national security, social order, and public interests. It employs an impact-based classification model with technical, governance, and management controls scaling by level.

Key Components

Domains: physical security, network protection, data security, operations monitoring, personnel management.
Standards: GB/T 22239-2019 (baseline), GB/T 25070-2019 (technical), GB/T 28448-2019 (evaluation).
Extensions for cloud, IoT, big data, industrial controls.
Compliance: self-assessment, third-party audits (Level 2+ scoring 75/100), PSB approval, re-evaluations.

Why Organizations Use It

Avoids fines, license suspensions, inspections.
Meets legal obligations for China operations.
Strengthens risk management, resilience.
Enables market access, builds regulator trust.

Implementation Overview

Phased: inventory, classify, gap analysis, remediate, audit, monitor.
Targets all mainland China network operators.
PSB enforcement requires local expertise.

ISO 28000 Details

What It Is

ISO 28000:2022 is an international certification standard specifying requirements for establishing, implementing, maintaining, and improving a security management system (SMS) focused on supply chain security and resilience. It adopts a risk-based approach using the PDCA cycle to manage threats across people, assets, infrastructure, and information.

Key Components

Clauses 4-10 cover context, leadership, planning, support, operation, performance evaluation, and improvement.
Emphasizes risk assessment, security controls, incident response, supplier governance, and continual improvement.
Built on ISO High Level Structure for integration with standards like ISO 22301 and ISO 27001.
Optional certification via accredited bodies per ISO 28003.

Why Organizations Use It

Mitigates risks like theft, sabotage, and disruptions; reduces incident costs and insurance premiums.
Meets contractual, regulatory, and trade facilitation needs (e.g., C-TPAT equivalents).
Enhances resilience, market access, stakeholder trust, and competitive edge in logistics, manufacturing, and more.

Implementation Overview

Phased: scoping, gap analysis, risk assessment, controls deployment, audits, certification.
Scalable for all sizes/industries; 6-36 months typical.
Involves training, supplier engagement, KPIs, and management reviews.