Can the information security in the national standard GB-T 25000-2016 be tested in accordance with the national standard GB/T 22239-2019?
Conclusion
Yes, the information in GB/T 25000.51-2016Security TestingIt can be partially carried out in accordance with GB/T 22239-2019, but the specific requirements and test scope of both need to be combined.

1. Standard relevance
GB/T 25000.51-2016The (Information Security Section) clearly stipulates that software products must comply with relevant standards and regulations, among whichGB/T 22239-2019The basic requirements for Cybersecurity level protection are one of the important reference bases.
GB/T 22239-2019As the core standard of the cybersecurity classification protection, it covers technical and management requirements such as secure physical environment, secure communication network, secure computing environment, and secure management center, and is in line with the information of GB/T 25000.51Security TestingThe content is highly overlapping.
2.Comparison of test contents
GB/T 25000.51-2016 Key Points for Information Security Testing
Confidentiality:
Check whether the data transmission and storage are encrypted (such as 3DES, AES).
The verification of account permissions follows the principle of least privilege.
Integrity:
Verify the integrity of data transmission and storage (such as hash algorithms, database constraints).
Ensure transaction atomicity and prevent data inconsistency.
Non-repudiation:
The immutability of audit logs.
Key operations adopt digital signatures.
Verifiability:
The audit log covers all user operations and records information such as the event date, time, and initiator.
Authenticity:
Identity verification mechanisms (such as two-factor authentication, password complexity requirements).
Compliance:
Verify whether the software complies with industry standards such as GB/T 22239.

Key Requirements of GB/T 22239-2019
Secure computing environment:
Identity verification: Two or more verification methods are required, and the number of login failures is limited.
Access control: Least Privilege principle, permission separation.
Data integrity: Verification techniques (such as CRC, hash algorithms).
Non-repudiation: Audit log protection, digital signature.
Secure communication network:
Data transmission integrity verification.
Encryption technology (such as SSL/TLS).
Overlapping content

Different contents

3.The feasibility of the test basis
:
In GB/T 22239-2019, regardingIdentity verification, data encryption, audit log, integrity checkThe requirements can be directly applied to the test of GB/T 25000.51.
For example, the confidentiality test of GB/T 25000.51 can refer to the requirements of GB/T 22239 for encryption algorithms and key management.
Management requirements level:
GB/T 22239 includes management requirements such as the safety management center and safety regulations, while GB/T 25000.51 focuses more on technical verification. Therefore, the management part needs to be tested separately.
Differences and Supplements:
GB/T 25000.51 emphasizesSoftware product function verification(Such as user permission allocation, session management), while GB/T 22239 focuses onSystem-level security protection(Such as network architecture, physical environment)
When testing, GB/T 25000.51 should be combinedCompliance ClauseVerify whether the software complies with the specific technical requirements of GB/T 22239.
4.Implementation suggestions
Test case design:
Refer to the technical provisions related to information security in GB/T 22239 (such as identity authentication, data encryption, and audit logs).
Supplement the specific test items of GB/T 25000.51 (such as software permission allocation, session management).
Tools and Methods:
Use vulnerability scanning tools (such as Nessus) to check for unauthorized access vulnerabilities.
Verify data encryption and integrity through protocol analysis tools such as Wireshark.
Compliance verification:
Compare with the level protection requirements of GB/T 22239 (such as Level 2 and Level 3) to confirm whether the software meets the corresponding security functions.
Information of GB/T 25000.51-2016Security TestingCan bePartly in accordance with GB/T 22239-2019Carry it out, especially at the technical implementation level (such as encryption, identity authentication, and audit logs). However, attention should be paid to the differences in emphasis between the two to ensure full coverage of the six sub-characteristics (confidentiality, integrity, non-repudiation, verifiability, authenticity, and compliance) stipulated in GB/T 25000.51. It is recommended to design test cases in combination with the specific requirements of the two standards to achieve comprehensive verification.
Related article recommendations
National Standard for Software Testing GB/T 25000.51-2016
【 Standard 】 Summary Introduction of GB/T 25000.51-2016 National Standard
