GB/T 20986-2023
Information security technology - Guidelines for category and classification of cybersecurity incidents (English Version)
- Standard No.
- GB/T 20986-2023
- Language
- Chinese, English version preview
- Release Date
- 2023
- Published By
- General Administration of Quality Supervision, Inspection and Quarantine of the People‘s Republic of China
- Latest
- GB/T 20986-2023
- Replace
- GB/Z 20986-2007
- Scope
- This document describes the methods for categorizing and grading cybersecurity incidents, defines categories and levels of cybersecurity events, and clarifies the classification codes for cybersecurity events. This document applies to network operators and relevant departments for conducting activities such as cybersecurity incident assessment, information notification, monitoring and early warning, and emergency response.
- Introduction
Standard Revision Background and Technology Evolution
GB/T 20986-2023, as a revised version of GB/Z 20986-2007, has achieved three major breakthroughs: the guiding document has been upgraded to a national standard, the event classification has been expanded from 7 categories to 10 categories, and the number of subcategories has increased from 28 to 45. New threat classifications such as APT attacks and data poisoning have been added to reflect the security challenges in new technology environments such as cloud computing and the Internet of Things.
Analysis of the core classification system
Major categories of events Number of subcategories in the 2007 version Number of subcategories in the 2023 version Typical new subcategories Malicious program events 7 10 Ransomware, mining viruses, malicious code host sites Cyber attack events 7 21 BGP hijacking, supply chain attacks, dark link implants Data security incidents 5 12 Data poisoning, location detection, social engineering Typical scenario examples
Ransomware incident (01007): The system of a hospital was encrypted, resulting in the interruption of emergency services. According to the scope of impact, it was assessed as a Level 2 major incident and an emergency response needed to be initiated within 2 hours.
Classification elements and implementation process
The event level determination needs to integrate three dimensions:
- Importance of the affected object: refer to the classification results of Grade Protection 2.0
- Degree of business loss: four levels: extremely serious/serious/relatively serious/minor
- Degree of social harm: four levels: extremely serious/serious/relatively serious/general
Grading decision tree:
1. Determine the level of the affected object first
2. Assess business losses and social harm separately
3. Determine the final level based on the higher principle
Enterprise implementation suggestions
- Event library construction: Establish a standardized event knowledge base based on Appendix B codes
- Response plan matching: Formulate differentiated disposal time limit requirements for events of different levels
- Automation tool integration: Built-in classification and grading decision engine in SIEM system
Note: For particularly serious incidents (level 1), a cross-departmental joint handling mechanism needs to be established, and a national emergency response should be initiated when necessary.
GB/T 20986-2023 Referenced Document
- GB/T 22240-2020 Information security technology—Classification guide for classified protection of cybersecurity
- GB/T 25069-2022 Information security techniques—Terminology
GB/T 20986-2023 history
- 2023 GB/T 20986-2023 Information security technology - Guidelines for category and classification of cybersecurity incidents
- 2007 GB/Z 20986-2007 Information security technology.Guidelines for the category and classification of information security incidents
GB/T 20986-2023 Information security technology - Guidelines for category and classification of cybersecurity incidents has been changed from GB/Z 20986-2007 Information security technology.Guidelines for the category and classification of information security incidents.