verified_user
Standardful
Homechevron_rightStandardschevron_rightMLPS 2.0
ActiveInternational Standardupdate Standard Updated: December 2019fact_check Fact checked: Jun 28, 2026

MLPS 2.0

Cybersecurity Multi-Level Protection Scheme — GB/T 22239-2019 Information Security Technology, Baseline for Classified Protection of Cybersecurity

apartmentPublishing Organization:Ministry of Public Security of the People's Republic of China (MPS)

Standard Introduction

MLPS 2.0 is an active standard published by Ministry of Public Security of the People's Republic of China (MPS). It is commonly used across Technology, Finance & Banking, Telecommunications, Government, Healthcare, Energy and applies in China.

Use this page to review the official documentation, current status, and the certification or assessment bodies most commonly associated with MLPS 2.0.

Implementation Roadmap

1
Phase 1schedule Duration: 3-6 weeks

Define China cybersecurity classified protection scope

Identify the products, services, systems, entities, jurisdictions, teams, vendors, data flows, and stakeholders covered by MLPS 2.0. Confirm owners, boundaries, applicable obligations, documentation, and evidence expectations for system classification, level determination, public security filing, baseline controls, cloud, mobile, IoT, industrial control, big data extensions, organizational controls, technical controls, assessment, remediation, and ongoing supervision.

2
Phase 2schedule Duration: 4-10 weeks

Assess obligations and gaps

Compare current practices with the expected China cybersecurity classified protection approach. Review asset and system inventory, level determination, filing workflow, security zoning, identity and access control, audit logging, boundary protection, intrusion prevention, data protection, backup, incident response, supplier control, assessment, and rectification, then prioritize gaps by legal exposure, safety or security impact, customer commitments, operational dependency, reporting deadlines, and assurance readiness.

3
Phase 3schedule Duration: 8-24 weeks

Implement controls and evidence

Deploy required procedures, technical controls, review gates, training, supplier workflows, reporting paths, and operational records. Maintain classification records, filing materials, system diagrams, asset inventories, access records, audit logs, test results, assessment reports, rectification plans, training records, incident logs, vendor files, and regulator communications as traceable evidence.

4
Phase 4schedule Duration: Ongoing

Review, report, and improve

Run management reviews, internal checks, testing or independent assessments where applicable, corrective actions, and change reviews. Refresh the program when products, vendors, laws, incidents, reporting cycles, or stakeholder expectations change.

Compliance Checklist

0 / 12

checklist Scope and accountability

checklist Controls and records

checklist Monitoring and assurance

Frequently Asked Questions

Who needs MLPS 2.0?

expand_more

MLPS 2.0 is most relevant to network operators, critical information infrastructure operators, cloud platforms, industrial systems, and organizations operating information systems in China. The exact scope depends on products, services, jurisdictions, reporting duties, customer commitments, technical requirements, and the organization's role in the relevant ecosystem.

Is MLPS 2.0 certifiable?

expand_more

MLPS 2.0 is a Chinese cybersecurity classified protection regime, not a voluntary certification. Systems must be classified, filed where required, protected, assessed, and remediated according to level.

What should implementation focus on first?

expand_more

Start by defining scope, obligations, accountable owners, and the evidence expected by regulators, customers, auditors, assurance providers, certification bodies, or governance bodies. Then perform a gap assessment against current controls and prioritize remediation by risk and deadline.

What evidence is useful for MLPS 2.0?

expand_more

Useful evidence includes classification records, filing materials, system diagrams, asset inventories, access records, audit logs, test results, assessment reports, rectification plans, training records, incident logs, vendor files, and regulator communications. Evidence should be version-controlled, attributable to owners, linked to obligations and controls, and retained for the required review or audit period.

How often should the program be reviewed?

expand_more

Review it at planned intervals and whenever laws, standards, products, vendors, incidents, reporting cycles, customer commitments, technical requirements, or assurance expectations change.

Official Documentation

View All

Related Categories