1. Scope of application
This rule is formulated in accordance with the Network Security Law of the People's Republic of China and the Certification and Accreditation Regulations of the People's Republic of China, and provides the basic principles and requirements for the safety certification of network key equipment and network security products.
This rule applies for key equipment and network security products, shall comply with the state Internet information office, the Ministry of Industry and Information Technology, the Ministry of Public Security, state of release as "key equipment and network security product directory (first batch) > announcement" (announcement no. 1, 2017) in the corresponding requirement of the scope of description (see appendix 1).
The standards for safety certification shall be implemented according to the requirements of relevant competent authorities.
2. Authentication mode
Type test + factory inspection + post-certification supervision
3. Basic steps of certification
3.1 Certification application and acceptance
3.2 Document Review
3.3 Commissioning and implementation of type test
3.4 Factory Inspection
3.5 Evaluation and approval of certification results
3.6 Post-certification supervision
4. Certification implementation
4.1 Authentication Process
Certification client to the certification body to apply for certification, certification body after receiving the certification client's application, review the application materials, confirm qualified to the certification client to choose the laboratory testing task, and inform the client according to the requirements of sampling testing. The laboratory conducts tests according to relevant standards and/or technical specifications and submits test reports to the certification body upon completion of the tests. The certification body shall, if necessary, organize factory inspection after passing the examination of the test report. The certification body makes certification decisions on the results of type test and factory inspection, and issues certification certificates to the certification client after the evaluation of the certification decision is qualified. Certification bodies organize regular supervision of certified products.
4.2 Certification application and acceptance
Certification client to the certification body submitted certification application, and according to the requirements of the submission of relevant information, the certification body to the information of the preliminary review, to determine the certification client submitted information to meet the requirements, the application is accepted.
4.2.1 Authentication unit division
Apply for certification according to the product model/version. If the key parts of the product are the same, they can be applied for certification as a unit. The certification body shall make provisions on the key parts of the product according to the certification requirements.
When applying for certification for the same certification unit with more than one model/version of the product, the certification client shall submit the description of the differences between models/versions in the same certification unit and relevant test reports.
4.2.2 Application materials requirements
When applying for safety certification, the certification client shall at least submit the following information:
1) Basic Application Information:
Certificate application;
Sino Sino Certification client statement;
Evidence of legal status related to the purchase of a ticket (copy);
Buy a document on the quality system aspect.
2) Declaration of relevant technical indicators and supporting materials (according to the content in Appendix 1 "Scope").
3) Product description:
Costing a Chinese product function manual and/or user manual;
Explanation of the applicability of the Certification standard;
Lists of principal technical personnel involved in product development;
Fact sheet for product testing technicians;
Buy a product to test a list of the main devices used;
Chinese nameplates and warning signs;
Buy a ticket to explain the differences between models/versions in the same authentication unit and a test report (if applicable);
Virtual Gateway Product password detection certificate (if applicable).
4) Documents related to security requirements:
Virtual gateway Configuration management;
Sino Delivery and operation;
development;
Costing a instructional document;
testing.
5) Documents related to safety functions.
6) Other information required by the certification body.
4.3 Document Review
Review the materials and documents submitted by the certification client according to relevant standards and/or the technical specifications of the product.
4.4 Commissioning and implementation of type test
4.4.1 Type test sampling
4.4.1.1 Sampling Requirements
The certification body arranges to sample the products applied for certification according to model/version, and the samples should be randomly selected in the products produced by the production enterprise (including production line, warehouse, market). Generally, 2 sets of each product are sampled, and the sample quantity can be increased if there are special needs.
The authorized consignor delivers the sample to the laboratory and is responsible for the sample.
The certification client shall provide corresponding instructions and auxiliary equipment according to the requirements of type test.
4.4.1.2 Disposal of samples and relevant data
After the certification, the certification client can apply to the laboratory to retrieve the type test samples, and the relevant application materials will be properly disposed of by the certification body and the laboratory.
4.4.2 Basis for type test
According to the relevant national standards of the corresponding products.
4.4.3 Submission of type test report
After the completion of the type test, the laboratory will issue the type test report according to the requirements of the certification body and submit it to the certification body.
4.5 Factory Inspection
4.5.1 Review content
The content of factory inspection is information security assurance capability, quality assurance capability and product consistency inspection.
4.5.1.1 Information security assurance capability
The certification body shall send inspectors to manufacturers and production enterprises in accordance with annex 2 (basic requirements for information security capability) to implement audit (when the certification basis of national standards cover security capability requirements, according to the corresponding national standards).
4.5.1.2 Quality assurance capability
The certification body shall send inspectors to inspect the manufacturing enterprises in accordance with Annex 3 (Basic Requirements for Quality Assurance Capability) and the supplementary inspection requirements formulated by the certification body.
4.5.1.3 Product Consistency
Factory inspection, should be in the production site to apply for certification of the product consistency check. Focus on the following items:
1) Whether the product name, model/version number and type test report on the nameplate, package and operation of the certification product are consistent;
2) The software and hardware used in the certified products shall be consistent with the qualified samples in the type test;
3) Whether non-certified products are labeled with certification labels in violation of regulations.
4.5.2 Factory inspection time
The certification body shall arrange factory inspection according to the requirements of certification implementation. Person days are determined according to the number of units applied for certification products, and appropriate consideration of manufacturers, production enterprises and the size of the product security level, generally each place for 2 to 6 personal days.
4.6 Evaluation and approval of certification results
The certification body is responsible for the comprehensive evaluation of the type test, factory inspection results, etc., and make the certification decision. If the certification decision is passed, the certification body will issue the certification certificate to the certification client (each certification unit will issue one certification certificate). If the certification decision process is not found to meet the certification requirements, allow a period of time (not more than 3 months) rectification, rectification completed as scheduled, the certification body to take the appropriate way to confirm the rectification results, re-implement the certification decision process.
4.7 Post-certification supervision
4.7.1 Frequency of supervision
The frequency of supervision is usually once a year. When there are special provisions, the certification body can adjust the frequency of supervision. When necessary, the certification body may conduct supervision without prior notice.
The monitoring frequency can be increased if one of the following conditions occurs:
1) When the certified product has serious quality problems, or the user makes complaints and it is confirmed that the certificate holder is responsible;
2) the certification body has sufficient reason to question the conformity of the certified product with the specified standard requirements;
3) There is sufficient information indicating that the manufacturer or manufacturer may affect product quality due to changes in organizational structure, production conditions, quality management system, etc.
4.7.2 Supervision content
After obtaining the certificate, the supervision is carried out by means of factory inspection, mainly for information security assurance ability, certification product consistency and quality assurance ability. When necessary, samples can be taken and sent to the laboratory for testing. When sampling is needed, sampling shall be carried out according to the requirements of 4.4.1.1. The testing items of the initial certification application can be used as the testing items of the supervision, and the certification body can carry out some or all of the testing items according to the specific situation. The testing of samples is generally completed within 20 working days by the testing laboratory designated by the certification body.
4.7.3 Evaluation of supervision results after certification
After passing the supervision and re-examination, they may continue to maintain their certification certificates and use their certification marks. Corrective measures shall be completed within 3 months for non-conformance found during supervision review. Within the time limit, the certificate shall be revoked, the use of the certification mark shall be stopped, and the public announcement shall be made.
5. Certification time limit
Certification time limit refers to the actual working days from the date when the application is formally accepted to the issue of the certification certificate, generally within 90 working days. Rectification time is not counted.
6. Certification certificate
6.1 Certificate Validity
The certificate is valid for 5 years. In the validity period, through the annual product certification after supervision to ensure the validity of the certification certificate.
6.2 Certificate Changes
6.2.1 Application for Change
After obtaining the certificate of the product, if its manufacturer, production enterprises, certificate holders and other changes, should be submitted to the certification body for change.
6.2.2 Evaluation and approval of application for change
The certification body will review the documents according to the changed content and provided information, arrange type test and/or factory inspection when necessary, and change the certificate after passing the certification evaluation.
6.2.3 Validity period of the Certificate
The validity period of the certificate after modification is the same as the original certificate.
6.3 Extension of products covered by certificates
6.3.1 Application for Product Extension covered by certification Certificate
When the certification certificate holder needs to increase the certification scope of the products that have been certified, he/she shall apply for extension to the certification body and submit a description of the difference between the extended products and the original certified products.
6.3.2 Evaluation and approval of product extension covered by certification certificate
The certification body shall verify the consistency of the extended product and the original certified product, confirm the validity of the original certified product, and do supplementary type test and/or factory inspection for the difference when necessary, and issue certification certificate or replace certification certificate separately according to the requirements of the certification certificate holder.
6.3.3 Validity Period of the Certificate
After a certificate is extended, its validity period is the same as the original certificate.
6.4 Suspension, deregistration and revocation of an authentication certificate
Refer to the "Mandatory Product Certification Certificate cancellation, suspension, revocation implementation rules" requirements. The certification body shall not continue to use the certificate during the suspension period and after the cancellation and revocation of the certificate.
7. Use of the certification mark
7.1 Style of authentication mark
7.2 Use of the certification Mark
The certification mark can be equally scaled up or down when used. However, deformation or discoloration is not allowed.
7.3 Application method
Unified printing of standard specifications signs, molding, nameplate printing, software, etc.
7.4 Location of logo
A certification mark shall be added near the nameplate of the product body.
Software products shall be marked with a certification mark on the software package/carrier. If the software product does not use packaging/carrier, it shall be clearly stated in a prominent place in the License Agreement for the use of the software that the product has been certified by a certification body.
【Related reading】:
Editor in charge:Shanghai Yue Fei Enterprise Management Consulting Co., Ltd.
Copyright:http://www.yf-iso.com/ Please indicate the source of the reprint
Share 
Collection 
