The Protection of Critical Infrastructures (Computer Systems) Ordinance is Hong Kong's primary cyber security regulation for designated critical infrastructure operators (CIOs). It came into force on 1 January 2026, with the Code of Practice issued by the Office of the Commissioner of Critical Infrastructure (Computer Systems) — Commissioner Francis Chan Wing-on. The Ordinance establishes three categories of obligations: Organisational, Preventive, and Incident Reporting & Response.

Which sectors are covered by PCICSO?

Eight designated sectors are covered: energy; information technology; banking and financial services; land transport; air transport; maritime transport; healthcare; and telecommunications and broadcasting. Major sports venues and research and development parks are also potentially designated. The HKMA and the Communications Authority act as designated authorities for the financial services and telecommunications/broadcasting sectors respectively.

What are the penalties for non-compliance?

Penalties range from HK$300,000 to HK$5,000,000 depending on the nature of the breach, with daily continuing fines of HK$100,000 for ongoing non-compliance. Section 57 secrecy provisions carry separate fines up to HK$1,000,000 for unauthorised disclosure of designated information. Penalties apply per CIO per incident — a multi-site CIO with breaches at multiple locations faces compounding exposure.

What about suppliers and cloud providers — are they in scope?

Suppliers and cloud providers are not directly regulated as CIOs unless they themselves are designated. However, designated CIOs must flow down PCICSO obligations contractually to their suppliers and material service providers — particularly those handling critical computer systems. The practical effect is that suppliers serving designated CIOs face significant contractual cyber security requirements derived from the Ordinance, even though they are not directly subject to the regulator.

Does the assessment support multi-CCS portfolios?

Yes. Multi-CCS Portfolio Mode is built in for designated CIOs operating multiple critical computer systems. Each CCS is scored consistently against the three obligation categories and the Code of Practice, with cross-portfolio heatmaps, common gap analysis, common evidence weaknesses, and group-level executive summaries. The biennial Management Plan review cycle and section 57 compliance handling are supported across the portfolio.

Enterprise

PCICSO Assessment Tool

A purpose-built assessment tool for Hong Kong critical infrastructure operators (CIOs) under the Protection of Critical Infrastructures (Computer Systems) Ordinance (Cap. 653) — coverage across all three statutory obligation categories, alignment to the Commissioner's Code of Practice, multi-CCS portfolio mode, supplier flow-down support, period tracking, and OCCICS-ready Word and Excel reports — supercharged by optional AI assistance at every stage of the workflow.

Overview

The PCICSO Assessment Tool gives Hong Kong critical infrastructure operators a structured, evidence-backed way to evaluate their compliance posture against the Protection of Critical Infrastructures (Computer Systems) Ordinance (Cap. 653) — at the individual Critical Computer System level and across the entire CCS portfolio. Whether you are preparing for OCCICS engagement, a Board briefing, a Management Plan review, or your own internal gap analysis, the tool does the heavy lifting: scoring, gap identification, risk prioritisation, evidence management, and report generation — entirely within your browser, with no data leaving your environment unless you explicitly enable an AI feature.

The assessment covers all three statutory obligation categories — Organisational, Preventive, and Incident Reporting and Response — translated from the Ordinance and the Commissioner's Code of Practice (Version 1.0, issued 1 January 2026) into a structured set of assessable practices. Multi-CCS portfolio mode aggregates assessments across every Critical Computer System you operate, surfacing cross-portfolio patterns no per-system view can show. Period tracking and year-over-year comparison turn point-in-time scoring into a defensible trajectory of improvement — exactly the evidence the Commissioner's Office will look for in supervisory engagement and post-incident review.

Three-Category Coverage

Complete coverage of Category 1 (Organisational), Category 2 (Preventive) and Category 3 (Incident Reporting and Response) obligations — mapped directly to the Commissioner's Code of Practice, with sectoral CoP overlays for HKMA and Communications Authority-supervised entities.

Multi-CCS Portfolio Mode

Every Critical Computer System you operate, scored consistently, rolled up into a single CIO-level view — with cross-CCS heatmaps, common gap analysis, common evidence weaknesses, and AI-narrated portfolio executive summary.

Secure by Design

Runs entirely in your browser. No SaaS dependency, no account required, deployable on Hong Kong-resident infrastructure. Optional AI features connect only when you choose to enable them, using your own API key — and can be disabled site-wide for regulated environments and PCICSO secrecy compliance.

What PCICSO Asks You to Do — and How the Tool Handles It

PCICSO is Hong Kong's first dedicated cybersecurity law. It came into force on 1 January 2026, alongside the establishment of the Office of the Commissioner of Critical Infrastructure (Computer-system Security) (OCCICS) and the publication of the Commissioner's Code of Practice (CoP). It imposes three categories of statutory obligations on designated Critical Infrastructure Operators (CIOs) — and translates those high-level obligations, through the CoP, into specific operational requirements covering everything from board-approved Management Plans to incident reporting timeframes.

The tool integrates every element of the framework — the three obligation categories, the Code of Practice's operational requirements, the sector-specific CoP overlays from designated authorities (HKMA for banking and financial services; Communications Authority for telecommunications and broadcasting), and the supplier flow-down mechanics — so the question is never "did we cover everything?" but rather "what does the evidence support?".

Assessment Categories

All three PCICSO statutory obligation categories, organised by the practical compliance areas the Commissioner's Code of Practice identifies:

Category 1 — Organisational

Hong Kong Office & Operator Notification
Computer-System Security Management Unit
Supervisor Qualifications & Adequacy
Governance, Accountability & Reporting

Category 2 — Preventive

CCS Identification & Material Change Notification
Board-Approved Management Plan
Policies, Standards & Guidelines
Technical Safeguards & OT/SCADA Controls
Supply Chain & Cloud Service Security
Audits & Independent Assessments
Training & Security Awareness

Category 3 — Incident Reporting & Response

Board-Endorsed Emergency Response Plan
Detection, Triage & Classification
Containment, Eradication & Recovery
Incident Reporting Timeframes & Channels
Evidence Preservation & Communications
Drills & Post-Incident Review

Common Compliance Anti-Pattern Detection

The tool goes beyond simple practice-by-practice scoring. Alongside the structured assessment, a curated set of compliance anti-patterns identifies organisational and operational conditions that actively undermine PCICSO compliance even when other controls appear adequate — for example, security management units that are technically established but lack the day-to-day authority to enforce policy, or Management Plans that are board-approved but not operationally embedded.

Anti-patterns are scored binary — present or not present — and contribute to a dedicated Anti-Pattern Assessment view that surfaces the structural weaknesses traditional self-assessment misses. This is what separates a defensible PCICSO compliance posture from a tick-box exercise that won't survive a Commissioner's inquiry.

Multi-CCS Portfolio Mode

Most designated CIOs operate multiple Critical Computer Systems — financial transaction platforms and their supporting infrastructure, OT environments and their corporate IT dependencies, primary and resilient setups. The CCS Registry holds every Critical Computer System in your portfolio, each with its own designation status, materiality classification, and assessment progress — all visible on a single dashboard. The portfolio-level views go well beyond simple aggregation:

CCS × Category Heatmap — A colour-coded cross-portfolio matrix showing every CCS against the three obligation categories and their sub-areas, with average compliance by area across systems, sortable to surface the weakest categories across the CIO.
Compliance by CCS Type — Compare compliance posture across CCS types (transactional, control, monitoring, data processing) to see whether systemic weaknesses cluster by operational context.
Common Gaps Across the Portfolio — Practices where multiple CCSs are non-compliant, with the explicit list of affected systems. Fix one root cause at the policy or platform level, clear many CCS-level gaps at once.
Common Evidence Weaknesses — Patterns where evidence quality is consistently weak across CCSs, pointing at systemic documentation deficiencies worth addressing centrally — plus reference examples of CCSs with strong evidence for the same practice.
Common Low-Compliance Practices — The practices that consistently score below the Code of Practice expectation across CCSs — the structural patterns worth a portfolio-wide programme rather than per-system remediation.
CIO Overview Dashboard — Tile metrics across the top show total CCSs, average compliance, category obligations met, and outstanding actions. Compliance leads see exactly where to push next.

Evidence Workflow & Reviewer Overrides

Each practice presents the assessor with a structured answer scale (None, Partial, Strong, plus N/A with justification), an inline guide to what good evidence looks like under the Code of Practice, and a drag-and-drop area for attaching supporting documents — PDFs, Word, Excel, images, CSV — directly to the practice.

An independent reviewer workflow captures observations against the evidence in structured fields. The reviewer can override the self-assessed compliance level where the evidence clearly contradicts it, with both the original answer and the reviewer override preserved in the audit trail. When AI is enabled, AI-suggested compliance levels (with confidence rating low/medium/high) sit alongside the self-assessment and the reviewer override — three independent signals, all visible side-by-side, all auditable.

Period Tracking, Baselines & Year-over-Year Comparison

The CoP requires Management Plans to be reviewed at least biennially or after major changes, and obliges material changes to CCSs to be notified to the Commissioner within one month. Single-point assessments are necessary but insufficient. The tool treats assessment as a continuous activity, with first-class support for the time dimension:

Compliance Snapshot & Baseline — Save a point-in-time baseline; capture manual overrides where appropriate; replace, clear or revert baselines as the programme evolves.
Period Closure — Formally close an assessment period and archive it, freezing the state for audit and historical comparison — ideal for the biennial Management Plan review cadence.
Year-over-Year Comparison — Improvements, regressions, evidence added or removed, reviewer-decision changes, category compliance movement — all surfaced as a structured change report between any two assessment periods.
Multi-Period Trend Comparison — Load three or more historical periods to visualise compliance trajectory by category and CCS across time.
Per-CCS Compliance Trends — Each CCS's compliance trajectory over multiple closed periods, plus a CIO-average trend line — the trajectory of improvement that the Commissioner will examine in supervisory engagement.

For designated CIOs, this is the evidence trail that demonstrates credible intent — period by period, not just at biennial review.

Audit Log, Collaboration & Resilient Storage

Every answer, note, evidence change and reviewer override is captured in a chronological audit log — the complete record of who did what and when, with full version history accessible from the in-app log viewer. This is the artefact that supports the Commissioner's investigative powers under the Ordinance, and the secrecy obligations in section 57.

Optional Shared Folder Mode turns the assessment into a team workspace. Multiple assessors work in parallel on a multi-CCS portfolio via OneDrive, SharePoint, Microsoft Teams, Google Drive, or Dropbox. Per-CCS file locking prevents conflicting edits; identity stamping records who changed what; live change polling surfaces edits in seconds; and the sync provider conflict detector flags "conflicted-copy" files created by the sync provider so you can resolve them manually rather than discovering them at audit time. A 30-day soft delete with one-click restore prevents accidental data loss.

Evidence storage is resilient by design — content-derived filenames (so evidence titles never leak through the folder browser), per-file and per-question caps, browser-storage quota monitoring, optional encryption-at-rest, a crash-recovery mirror, and a read-only Evidence Health Check audit available from Settings. Crucially for PCICSO secrecy compliance, designation-related information is segregated and access-controlled by default.

Who It's For

Designated Critical Infrastructure Operators across PCICSO's eight sectors — energy, IT, banking and financial services, land/air/maritime transport, healthcare, and telecommunications and broadcasting
Operators of major sports and performance venues, and R&D parks, with critical-infrastructure designation
Multi-CCS operators needing CIO-wide compliance visibility
Suppliers and cloud service providers facing PCICSO flow-down obligations from CIO contracts
Banking, FS and telco entities expecting sectoral CoPs from HKMA or the Communications Authority
Audit, compliance and assurance teams evidencing PCICSO compliance to the Commissioner, the board, or independent reviewers

What You Receive

Comprehensive CCS-level and CIO-level PCICSO compliance outputs — every deliverable drawn from the same underlying data, so one assessment becomes every artefact you need.

AI-Enhanced CCS Word Report

Per-CCS narrative deliverable — category compliance status, obligation-by-obligation gap register, anti-pattern findings, evidence register, and prioritised remediation plan. When AI is enabled, includes an AI-generated executive summary and per-category narratives. OCCICS-ready.

Multi-Worksheet Excel Workbook

The same data in tabular form across multiple sheets — gap register, remediation plan, evidence register, full results matrix, anti-pattern findings, N/A exclusions. Drops into JIRA, Asana or Smartsheet without re-keying.

CIO Portfolio Word & Excel Reports

Cross-CCS executive summary, CCS × category heatmap, common gaps register, common evidence weaknesses, common low-compliance practices, and CIO-wide recommendations — generated automatically from per-CCS data.

CCS × Category Heatmap

Cross-portfolio matrix of CCSs against the three obligation categories and their sub-areas, colour-coded by compliance level, sortable to surface the weakest categories and the weakest systems.

Category Compliance Matrix & Movement

At-a-glance compliance status per CCS for Category 1, 2 and 3 obligations, with Category Movement view tracking which CCSs have improved or regressed between assessment periods.

Anti-Pattern Assessment

Binary anti-pattern practices that undermine PCICSO compliance effectiveness — assessed alongside the structured obligation practices to surface the structural weaknesses traditional self-assessment misses.

Evidence Package (ZIP)

Every attached evidence file organised by CCS and practice, with an Excel register cataloguing each file with metadata. Ships in one click when the Commissioner, an auditor or a designated authority asks for substantiation.

Year-over-Year Comparison

Category-by-category change reports between any two periods — improvements, regressions, evidence added/removed, reviewer-decision changes, and category-level compliance movement. AI-narrated when enabled.

Multi-Period Trend Comparison

Load three or more historical periods to visualise compliance trajectory across time, with per-CCS and per-category trends. The trajectory the Commissioner examines in supervisory engagement.

Reviewer Override Audit Trail

Independent reviewer can override self-assessed and AI-suggested compliance levels with full justification — original answer, AI suggestion, and reviewer conclusion all preserved in the audit log.

Audit Log & Version History

Chronological record of every answer, note, evidence change and reviewer override — viewable in-app with full version history, exportable as JSON for long-term retention and supervisory disclosure.

Shared Folder Collaboration

Team workspace via OneDrive, SharePoint, Microsoft Teams, Google Drive or Dropbox — with per-CCS locking, identity stamping, live change polling, sync conflict detection, and 30-day soft delete with restore.

AI woven through every stage

AI assistance that earns its place.

Twelve AI capabilities — entirely optional, opt-in via your own Anthropic API key — accelerate every phase of PCICSO compliance work, from understanding a Code of Practice requirement to drafting the board narrative inside the Word report itself. The tool works fully without them; with them, the per-cycle effort that used to consume weeks of consultant time becomes a quarterly cadence your own team operates — entirely consistent with PCICSO secrecy obligations under section 57.

Phase 1

During the assessment

Phase 2

During review

Phase 3

Before & in the deliverables

Phase 4

Across periods

Phase 1

AI Advisor Chat

Connected Claude assistant that explains any PCICSO obligation, Code of Practice requirement, or compliance criterion in plain English — with conversational follow-up. CCS name, designation status, your scores and notes are passed as context, so answers are tied to your actual posture, not generic regulatory boilerplate.

Phase 1

Draft With AI

Turn bullet-point facts into a structured assessment note — the assessor captures key facts, AI drafts the defensible written rationale that lives with the practice answer. The slow, low-energy step that usually gets skipped now takes seconds.

Phase 1

Context-Aware Suggested Prompts

One-tap prompt chips built into the AI Advisor — "Biggest gaps?", "Uplift plan", "Evidence to gather", "Board summary" — each pre-wired to your actual assessment data and category compliance status. The fastest way to get useful AI output without crafting prompts.

Phase 2

AI Evidence Review with Compliance Suggestion

Attached PDFs, images, Word, Excel and CSV files are read by AI and assessed against the Code of Practice requirement — with a suggested compliance level and a low/medium/high confidence rating. The reviewer keeps the final call; AI does the first pass.

Phase 2

AI Deep Review

A more thorough AI pass for higher-criticality evidence — multi-pass analysis with finer-grained gap identification, traceable back to specific CoP requirements. For the practices where "looks about right" isn't good enough.

Phase 2

AI Remediation Drafting

For each identified gap, AI drafts a specific remediation action — what to do, why it matters, how it lifts compliance. Regenerate if the first draft isn't quite right. The gap register stops being a list of problems and starts being a list of next actions.

Phase 3

Pre-Export Quality Review

Diagnostic AI scan over the entire CCS or CIO assessment before export — surfaces empty notes on Strong answers, missing evidence on key obligations, reviewer/confidence inconsistencies, and overrides without justification. Diagnostic only; no answers are changed.

Phase 3 · In the Word report

AI CCS Executive Summary

The CCS Word report opens with an AI-generated executive summary written from your actual assessment data — category compliance, headline gaps, anti-pattern findings, and recommended priorities for this system. The CCS owner's board narrative, pre-drafted.

Phase 3 · In the Word report

AI CIO Executive Summary

A different summary — written from the cross-CCS view. CIO-wide compliance status, weakest categories across the portfolio, common gaps with the highest leverage, systemic evidence weaknesses, and the cross-CCS investment case. The CISO or compliance director's narrative, drafted.

Phase 3 · In the Word report

AI Category Narratives

Board-ready prose inside the Word report — for each of the three PCICSO obligation categories, an AI-written narrative explaining what the category covers, your posture, where the gaps sit, and what to do next. Audit-committee language, generated from your data.

Phase 4

AI Period Comparison Narrative

When you load a previous assessment for year-over-year comparison, AI drafts the narrative of what changed — improvements, regressions, where evidence strengthened, and the trajectory story for the board. The "is compliance improving?" question, answered in prose.

Phase 4

AI Common-Gap Remediation Plan

For each Common Evidence Weakness or Common Low-Compliance Practice across the portfolio, AI drafts a cross-CCS systemic remediation plan — the leverage point that turns dozens of system-level findings into a single funded programme.

Bring your own API key · Pay only for what you use

All twelve AI features connect using your own Anthropic Claude API key, stored only in your browser's session memory — never saved to disk, never sent to CyberAssure. Typical usage is a few US dollars per full assessment cycle. AI can be disabled CIO-wide via Settings for sensitive designation environments, and a sensitive-data warning is shown before evidence is submitted for AI review — supporting your obligations under section 57 of the Ordinance.

Regulatory Context

PCICSO in force since 1 January 2026

Hong Kong's Protection of Critical Infrastructures (Computer Systems) Ordinance (Cap. 653) came into force on 1 January 2026 alongside the Commissioner's Code of Practice. Penalties for non-compliance range from HK$300,000 to HK$5 million, with daily fines of up to HK$100,000 for continuing breaches. Phase 1 CIO designations are rolling out through 2026. The tool's three-category coverage, multi-CCS portfolio mode, and AI-enhanced reporting were built precisely for the operational workload that designation triggers.

Read: What designated CIOs must do now →

Ready to Assess Your PCICSO Compliance?

Get in touch to discuss access to the PCICSO Assessment Tool.

Contact for Pricing

Often Used Alongside

Organisations frequently combine this assessment with complementary frameworks to address multiple governance requirements.

Critical Infrastructure

AESCSF v2 Maturity Assessment

Comparable maturity-based critical infrastructure assessment for the Australian energy sector — same engine, applied to AESCSF rather than PCICSO.

Learn more

Third-Party Risk

Supply Chain Security Assessment

For PCICSO flow-down to suppliers and cloud providers — comprehensive vendor and third-party assessment with contractual obligation tracking.

Learn more