Regulatory Transformation: From Textual Compliance to Evidence‑Based Oversight
By the end of 2025, the Hong Kong government completed legislative preparations for the Critical Infrastructure (Computer Systems) Ordinance, with phased implementation beginning in early 2026.
The ordinance applies to designated sectors such as financial services, energy, healthcare, and telecommunications, requiring organisations to establish formalised information security governance structures.
Unlike the historical reliance on the Personal Data (Privacy) Ordinance, which focused largely on post‑incident accountability, the new regulatory logic emphasises:
- Systematic risk assessment and documented governance
- Evidence of implemented security controls
- Auditable processes and traceable decision records
This signals a fundamental shift: regulators are no longer assessing compliance solely based on whether an incident occurred, but on whether reasonable controls existed, were executed, and can be substantiated.
Enterprise Pressure: Market Due Diligence Becomes Technical and Evidentiary
- Supply Chain and Investor Scrutiny Extends Across Industries
In cross‑border transactions, listings, and procurement processes, investors and large counterparties increasingly require:
- Ongoing risk assessment records rather than one‑off reports
- Evidence of control testing and effectiveness
- Independent SRAA, ISO 27001, or comparable third‑party audit outputs
In sectors such as technology, healthcare, and financial services, IT policy declarations alone are no longer accepted as proof of security capability.
- Evidence Capability as a New Competitive Factor
A recurring concern among mid‑sized enterprises is:“We have risk management processes, but how do we prove they were actually executed?”
This reflects the core issue of 2026 information security governance:documentation, traceability, and verifiable execution have become as important as technical controls themselves.
Practical Challenges in SRAA Implementation
Even organisations with established security frameworks or ISO‑aligned systems encounter structural difficulties when transitioning to evidence‑driven assessment.
- Insufficient Evidence Chains in Daily Controls
Common gaps include:
- Risk assessments conducted without ongoing records
- Control activities lacking execution evidence (testing logs, validation results)
- Incident handling without end‑to‑end documentation
As a result, organisations may have “done the work” but remain unable to demonstrate it clearly or consistently, increasing regulatory and commercial risk.
- Limited Cross‑Functional Governance and Senior Oversight
Information security is no longer a standalone IT responsibility. Regulators and stakeholders increasingly expect:
- Legal, compliance, and internal audit involvement in control design
- Board‑level review of security risk reports
- Clearly defined accountability and escalation mechanisms
Without governance integration, technical controls alone are insufficient.
- Unclear Thresholds for Reporting and Internal Recording
Under the new regulatory environment, events such as:
- Third‑party service disruptions
- Abnormal access behaviour
- Failed system updates
may trigger internal documentation or external notification requirements.
Without predefined classification and escalation criteria, organisations risk under‑reporting, over‑reporting, or inconsistent handling, each carrying legal and reputational consequences.
Outlook for the Next 12 Months
Based on current regulatory signals and international alignment trends, information security risk assessment in Hong Kong is expected to evolve along several clear directions:
Organisations will be expected to maintain complete chains of risk assessment records, control testing evidence, and review documentation.
- From one‑time compliance to ongoing governance
Information security will increasingly appear within enterprise risk cycles, annual reporting, and ESG disclosures.
- Cross‑departmental SRAA mechanisms
Legal, IT, risk management, and internal audit functions will need to jointly support auditable, operational controls.
- International framework convergence
Rather than responding only to local requirements, enterprises are moving toward structures compatible with EU NIS2, APAC cybersecurity frameworks, and ISO/IEC governance models, improving consistency and external trust.
Conclusion: SRAA as the Practical Entry Point to Information Security Governance
In Hong Kong’s 2026 compliance environment, SRAA is no longer a procedural formality. It has become a core indicator of an organisation’s governance maturity and credibility.
The central question has shifted from: “Do we have information security policies?”
to: “Can we demonstrate who executed them, under what conditions, and with what verifiable outcomes?”
Only organisations capable of evidence‑based compliance will be able to withstand increasing regulatory scrutiny and market validation, and build resilient, long‑term information security governance.
Associated Services by DQS HK
