To strengthen Hong Kong’s resilience against the growing global threat of cyberattacks, the Protection of Critical Infrastructure (Computer Systems) Bill was passed by the Legislative Council on March 19, 2025, and will take effect on January 1, 2026. The legislation, developed jointly by the Security Bureau, the Digital Policy Office, and the Hong Kong Police Force, establishes statutory requirements for safeguarding Critical Computer Systems (CCS) across key infrastructure sectors.
This white paper helps critical infrastructure (CI) operators understand the new legal framework and how to prepare for compliance. It:
- Explains the purpose and key provisions of the Protection of Critical Infrastructure (Computer Systems) Bill
- Compares the draft Code of Practice under the Bill with the ISO/IEC 27001:2022 information security management standard
- Discusses how CI operators can adopt ISO/IEC 27001:2022 as a structured management framework to meet the Bill’s requirements and enhance cyber resilience
By bridging the legislative requirements with international best practices, the paper provides practical guidance for CI operators to implement robust, systematic cybersecurity management.
