|
US$1084.00 · In stock
Delivery: <= 7 days. True-PDF full-copy in English will be manually translated and delivered via email.
GB/T 31722-2025: Cybersecurity technology - Guidance on managing information security risks
Status: Valid GB/T 31722: Evolution and historical versions
| Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Standard Title (Description) | Status | PDF |
| GB/T 31722-2025 | English | 1084 |
Add to Cart
|
7 days [Need to translate]
|
Cybersecurity technology - Guidance on managing information security risks
| Valid |
GB/T 31722-2025
|
| GB/T 31722-2015 | English | 495 |
Add to Cart
|
0--9 seconds. Auto-delivery
|
Information technology -- Security techniques -- Information security risk management
| Valid |
GB/T 31722-2015
|
Basic data | Standard ID | GB/T 31722-2025 (GB/T31722-2025) | | Description (Translated English) | Cybersecurity technology - Guidance on managing information security risks | | Sector / Industry | National Standard (Recommended) | | Classification of Chinese Standard | L80 | | Classification of International Standard | 35.030 | | Word Count Estimation | 54,553 | | Date of Issue | 2025-08-01 | | Date of Implementation | 2026-02-01 | | Older Standard (superseded by this standard) | GB/T 31722-2015 | | Issuing agency(ies) | State Administration for Market Regulation, Standardization Administration of China | GB/T 31722-2025: Cybersecurity technology - Guidance on managing information security risks---This is an excerpt. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.), auto-downloaded/delivered in 9 seconds, can be purchased online: https://www.ChineseStandard.net/PDF.aspx/GBT31722-2025
ICS 35.030
CCSL80
National Standard of the People's Republic of China
Replaces GB/T 31722-2015
Cybersecurity Technology Information Security Risk Management Guidance
Released on August 1, 2025
Implementation on February 1, 2026
State Administration for Market Regulation
The National Standardization Administration issued
Table of Contents
Preface III
Introduction IV
1 Scope 1
2 Normative references 1
3 Terms and Definitions 1
3.1 Terms related to information security risks 1
3.2 Terms related to information security risk management 4
4 File Structure 5
5 Information Security Risk Management 6
5.1 Information Security Risk Management Process 6
5.2 Information Security Risk Management Cycle 7
6 Environment Establishment 7
6.1 Matters for the organization to consider 7
6.2 Basic requirements for identifying interested parties 8
6.3 Application Risk Assessment 8
6.4 Establish and maintain information security risk criteria 8
6.5 Selecting the appropriate method 12
7 Information Security Risk Assessment Process 12
7.1 Overview 12
7.2 Information Security Risk Identification 13
7.3 Information Security Risk Analysis 14
7.4 Information Security Risk Assessment 16
8 Information Security Risk Management Process 17
8.1 Overview 17
8.2 Select appropriate information security risk treatment options 17
8.3 Identify all controls required to implement information security risk treatment options 18
8.4 Comparison of identified controls with controls in Appendix A of GB/T 22080-2025 20
8.5 Preparation of a Statement of Applicability 20
8.6 Information Security Risk Management Plan 21
9 Run 23
9.1 Perform information security risk assessment process 23
9.2 Execute information security risk management process 23
10 Utilizing ISMS-related processes 23
10.1 Organizational Environment 23
10.2 Leadership and Commitment 24
10.3 Communication and Consultation 24
10.4 Documented information 25
10.5 Monitoring and Review 27
10.6 Management Review 28
10.7 Corrective Actions 28
10.8 Continuous Improvement 28
Appendix A (informative) Examples of techniques to support the risk assessment process 30
A.1 Information Security Risk Criteria 30
A.2 Practical Techniques 34
Reference 48
Figure 1 Information Security Risk Management Process 6
Figure A.1 Components of information security risk assessment 34
Figure A.2 Example of an asset dependency graph 35
Figure A.3 Identification of stakeholders in the ecosystem 38
Figure A.4 Risk assessment based on risk scenarios 45
Figure A.5 Example of SFDT model application 47
Table A.1 Example of consequence scale 30
Table A.2 Likelihood Scale Example 31
Table A.3 Examples of qualitative approaches to risk criteria 32
Table A.4 Logarithmic likelihood scale example 33
Table A.5 Example of a logarithmic consequence scale 33
Table A.6 Example of an evaluation scale using a three-color risk matrix 34
Table A.7 Examples of risk sources and common attack methods 36
Table A.8 Example of motivation classification using expected end state37
Table A.9 Examples of attack targets 37
Table A.10 Typical threat examples 39
Table A.11 Typical vulnerability examples 41
Table A.12 Examples of risk scenarios in two approaches 45
Table A.13 Examples of relationships between risk scenarios and monitoring risk-related events 46
Preface
This document is in accordance with the provisions of GB/T 1.1-2020 "Guidelines for standardization work Part 1.Structure and drafting rules for standardization documents"
Drafting.
This document replaces GB/T 31722-2015 "Information Technology Security Technology Information Security Risk Management" and GB/T 31722-
Compared with.2015, in addition to structural adjustments and editorial changes, the main technical changes are as follows.
a) Deleted the terms “impact”, “information security risk”, “risk aversion”, “risk estimation” and their definitions (see Chapter 3 of the.2015 edition);
b) Added terms such as “risk scenario” and “control” and their definitions (see Chapter 3);
c) “Background” has been deleted (see Chapter 5 of the.2015 edition);
d) Added "Information Security Risk Management Cycle" (see 5.2);
e) The “Information Security Risk Assessment Process” has been modified to include “Situation-based Approach” and “Asset-based Approach” (see Chapter 7,
Chapter 8 of the.2015 edition);
f) Added "Operation" (see Chapter 9);
g) Added “Utilization of ISMS related processes” (see Chapter 10).
This document is equivalent to ISO /IEC 27005.2022 "Information Security, Cybersecurity and Privacy Protection - Guidance on Information Security Risk Management".
The following minimal editorial changes have been made to this document.
---To coordinate with my country's technical standards system, the name of the standard will be changed to "Guidelines for Information Security Risk Management in Cybersecurity Technologies".
Please note that some of the contents of this document may involve patents. The issuing organization of this document does not assume the responsibility for identifying patents.
This document is proposed and coordinated by the National Cybersecurity Standardization Technical Committee (SAC/TC260).
This document was drafted by. China Electronics Technology Standardization Institute, Beijing Anxin Tianxing Technology Co., Ltd., China Cybersecurity Review and Certification
Certification and Market Supervision Big Data Center, China National Accreditation Service for Conformity Assessment, China Information Security Evaluation Center, Heilongjiang Provincial Cyberspace Research Center
Research Center, China Electronics Great Wall Internet System Application Co., Ltd., Shandong Provincial Institute of Standardization, Beijing Tianrongxin Network Security Technology Co., Ltd.,
Guangzhou Civil Aviation Information Technology Co., Ltd., Shaanxi Network and Information Security Evaluation Center, AsiaInfo Technologies (Chengdu) Co., Ltd., China Southern Power Grid
China Power Grid Information and Communication Technology Co., Ltd., New H3C Technologies Co., Ltd., State Grid Network Security (Beijing) Technology Co., Ltd., State Computer Group
Network Emergency Technical Processing Coordination Center, China United Network Communications Group Co., Ltd., Venusstar Information Technology Group Co., Ltd.,
Beijing Shenzhou Green Alliance Technology Co., Ltd., China Science and Technology Information Security Common Technology National Engineering Research Center Co., Ltd., Hangzhou Anheng Information Technology Co., Ltd.
Co., Ltd., the First Research Institute of the Ministry of Public Security, Beijing Hillstone Network Technology Co., Ltd., and Civil Aviation Chengdu Electronic Information Technology Co., Ltd.
Beijing Zhongjin Cloud Network Technology Co., Ltd., Beijing CESI Certification Co., Ltd., Shanghai Guanan Information Technology Co., Ltd., Shanghai San
Zero Guard Information Security Co., Ltd., Beijing Times Newway Information Technology Co., Ltd., Northwestern Polytechnical University, State Energy Group New Energy Technology
RESEARCH INSTITUTE LIMITED.
The main drafters of this document are. Xu Yuna, Chen Qingmin, Lin Yanghuichen, Wang Bingzheng, Fu Zhigao, Youqi, Fan Kefeng, Li Lin, Wang Yan, Fang Zhou,
Qu Jiaxing, Bai Rui, Min Jinghua, Gong Wei, Lei Xiaofeng, Bai Xudong, Yang Jingjing, Lu Li, Wang Jiao, Zhu Xuefeng, Zheng Yaozong, Li Jun, Liao Shuangxiao, Wang Jian,
Wan Xiaolan, Li Zhiqi, Cui Mufan, Jin Pu, Hu Yue, Hao Shaoshuo, Hu Jianxun, Chen Xing, Lü You, Li Qiuxiang, He Yisheng, Ma Yong, Cheng Yan, Zhao Lihua,
Xie Jiang, Liu Biao, Wang Lianqiang, Wang Zhen, Gao Chao, Zhang Qiusheng, Li Jing, and Lü Fangchao.
The previous versions of this document and the documents it replaces are as follows.
---First published in.2015 as GB/T 31722-2015;
---This is the first revision.
introduction
This document provides guidance on.
--- Implement the information security risk management requirements specified in GB/T 22080-2025; measures to address information security related risks (see
6.1 and Chapter 8 of GB/T 22080-2025);
--- Implement the risk management guidance in GB/T 24353-2022 in the information security environment.
This document contains specific guidance on risk management and supplements GB/T 31496-2023.
Cybersecurity Technology Information Security Risk Management Guidance
1 Scope
This document provides guidance to help organizations.
---Meet the requirements of GB/T 22080-2025 on activities to address information security risks;
---Implement information security risk management activities, especially information security risk assessment and disposal.
This document is applicable to all organizations, regardless of type, size or sector.
2 Normative references
The contents of the following documents constitute the essential clauses of this document through normative references in this document.
For referenced documents without a date, only the version corresponding to that date applies to this document; for referenced documents without a date, the latest version (including all amendments) applies to
This document.
Note. GB/T 29246-2023 Information security technology - Information security management system overview and vocabulary (ISO /IEC 27000.2018, IDT)
3 Terms and Definitions
For the purposes of this document, the terms and definitions defined in ISO /IEC 27000 and the following apply.
ISO and IEC maintain terminology databases used for standardization at the following addresses.
3.1 Terms related to information security risks
3.1.1
external context
The external conditions in which an organization seeks to achieve its goals.
Note. The external environment includes the following.
---International, national, regional or local social, cultural, political, legal, regulatory, financial, technological, economic and geological environment;
---Key drivers and trends that have an impact on organizational goals;
---Relationships with external stakeholders, their views, values, needs and expectations;
---Contractual relationships and commitments;
---The complexity and dependencies of the network.
[Source. GB/T 23694-2024, 3.3.4, with modifications]
3.1.2
internal context
The internal situation in which an organization seeks to achieve its goals.
Note. The internal environment includes the following.
---Vision, mission and values;
Tips & Frequently Asked Questions:Question 1: How long will the true-PDF of GB/T 31722-2025_English be delivered?Answer: Upon your order, we will start to translate GB/T 31722-2025_English as soon as possible, and keep you informed of the progress. The lead time is typically 4 ~ 7 working days. The lengthier the document the longer the lead time. Question 2: Can I share the purchased PDF of GB/T 31722-2025_English with my colleagues?Answer: Yes. The purchased PDF of GB/T 31722-2025_English will be deemed to be sold to your employer/organization who actually pays for it, including your colleagues and your employer's intranet. Question 3: Does the price include tax/VAT?Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countriesQuestion 4: Do you accept my currency other than USD?Answer: Yes. If you need your currency to be printed on the invoice, please write an email to [email protected]. In 2 working-hours, we will create a special link for you to pay in any currencies. Otherwise, follow the normal steps: Add to Cart -- Checkout -- Select your currency to pay. Question 5: Should I purchase the latest version GB/T 31722-2025?Answer: Yes. Unless special scenarios such as technical constraints or academic study, you should always prioritize to purchase the latest version GB/T 31722-2025 even if the enforcement date is in future. Complying with the latest version means that, by default, it also complies with all the earlier versions, technically.
|