In response to the escalating global threat of cyberattacks, the Security Bureau, Digital Policy Office (formerly the Office of the Government Chief Information Officer), and the Hong Kong Police Force jointly proposed a legal framework to regulate critical infrastructure operators (CI operators) and their Critical Computer Systems (CCS) in Hong Kong.
Following legislative review, the Protection of Critical Infrastructure (Computer Systems) Bill (the Bill) was passed by the Legislative Council on March 19, 2025 and will be enacted on January 1, 2026. The Bill establishes statutory requirements to enhance the protection of CCS across critical infrastructure (CI) sectors.
This white paper provides a comparison between draft Code of Practice and ISO/IEC 27001:2022 and explores how CI operators may consider adopting an internationally recognized ISO/IEC 27001 standard to serve as a management framework to implement the Bill so that a CI’s CCS may be managed in a structured and systematic manner.
