Hong Kong Code of Practice (CoP) Compliance

Hong Kong’s Code of Practice (CoP) compliance refers to adhering to the baseline cybersecurity obligations established for Critical Infrastructure (CI) operators under the Protection of Critical Infrastructures (Computer Systems) Ordinance. It marks a shift from merely having documented policies to demonstrating actual control effectiveness, structured risk management, continuous monitoring, and measurable incident readiness. The HK CoP v1.0 ensures that operators apply enhanced security measures commensurate with real-world risks to protect critical systems and maintain society's essential services.

Compliance is mandatory for designated Critical Infrastructure (CI) operators who manage or operate Critical Computer Systems (CCS). A system is typically designated as a CCS if it plays a material role in the CI's core function, its disruption would cause severe impact to that core function, it stores or processes sensitive digital data used directly in essential services, or it is highly related to other CI operators or other critical systems.

CI operators must fulfill organizational, preventive, and incident response obligations. They must maintain an office in Hong Kong, notify the regulating authority of operator or system changes, and establish a computer-system security management unit. Preventive requirements include implementing a board-endorsed security management plan, conducting regular risk assessments and penetration tests, ensuring 24×7 monitoring, managing patches, and arranging independent audits. Finally, operators must participate in security drills, implement emergency response plans, and notify authorities of serious security incidents within 12 hours.

Achieving CoP compliance allows CI operators to transition from being "compliant" on paper to being genuinely resilient in practice against real-world attack techniques. It minimizes the risk of cyber threats disrupting the essential services that society relies upon by continuously validating exposure and control effectiveness. Additionally, compliance enables organizations to generate objective, audit-ready evidence for the Commissioner and ensures structured, well-practiced incident readiness.

The CoP mandates a comprehensive suite of cybersecurity controls, starting with the adoption of a "security by design" principle throughout a system's lifecycle. Key operational controls include strict access and privileged account management, proper use of cryptography, physical security for facilities, and robust supply chain and cloud computing risk management. Operators must also implement network security mechanisms like intrusion detection systems, rigorous patch and vulnerability management, endpoint monitoring tools, and comprehensive log management to support audits and investigations.

No, CoP compliance explicitly extends beyond traditional IT environments to include Operational Technology (OT). Industrial control systems such as supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), or Programmable Logic Controllers (PLC) are considered computer systems under the Ordinance. The CoP recognizes that standard IT security measures might disrupt OT systems; therefore, it provides specific alternative security controls for OT, such as alternative vulnerability identification activities instead of intrusive penetration testing.

The Picus Platform continuously validates exploitability and control effectiveness through adversary-emulated techniques in a production-safe manner. It helps CI operators meet CoP requirements by verifying if identified vulnerabilities can actually be leveraged into attack paths and testing if monitoring tools properly detect malicious behaviors. Picus transforms static risk assessments into continuous evaluations, prioritizes patch management based on actual exposure rather than theoretical severity, and generates objective, MITRE ATT&CK-mapped evidence to support independent audits and security drills.

Organizations can effectively implement compliance by shifting to a model of continuous validation to bridge the gap between documented policy and practical implementation. They should define a structured risk management approach that tests existing prevention and detection controls against real-world adversary behaviors rather than relying on static findings. Furthermore, organizations should deploy automated platforms to continuously measure network, cloud, and endpoint resilience, ensuring they can produce objective evidence of control performance during audits and post-incident reviews.