---
title_en: "Cybersecurity Standards Practice Guide — Personal Information Protection Compliance Audit Requirements"
title_zh: "网络安全标准实践指南 — 个人信息保护合规审计要求"
abbreviation: "TC260 PI Audit Guide"
hierarchy: "standard"
issuing_body: "National Information Security Standardization Technical Committee (TC260)"
status: "effective"
related_laws: ["personal-info-audit-measures"]
domains: ["personal-information", "enforcement"]
url: https://datacompliancechina.com/laws/tc260-pi-audit-practice-guide/
summary: "This TC260 practice guide sets out requirements for conducting the personal-information-protection compliance audit that PIPL Article 54 requires handlers to perform periodically. It provides an audit framework — the matters to examine across a handler's personal-information processing against PIPL obligations — to support both self-audits and audits commissioned to professional bodies under the Administrative Measures for Personal Information Protection Compliance Audits. It is advisory practice guidance, not a mandatory standard."
---

> **Source: Data Compliance China** — https://datacompliancechina.com/laws/tc260-pi-audit-practice-guide/ · English rendering and annotations by DCC; the Chinese original governs. Cite as: Data Compliance China, "Cybersecurity Standards Practice Guide — Personal Information Protection Compliance Audit Requirements", https://datacompliancechina.com/laws/tc260-pi-audit-practice-guide/
> *DCC summary, not a translation.* TC260 practice guides are copyright-protected and the Secretariat prohibits unauthorized translation. The structured summary below is DCC's own paraphrase grounded in the guide's title and the underlying audit regime; specific clauses should be checked against the published guide.

## Scope

This practice guide provides **requirements and a reference framework for the personal-information-protection compliance audit** — the periodic audit of whether a handler's personal-information processing complies with laws and administrative regulations. It is intended to support handlers conducting **internal self-audits** and professional bodies conducting **entrusted audits**, by enumerating the audit matters and expectations across the personal-information lifecycle.

It is a **practice guide** issued by the TC260 Secretariat — advisory, not a mandatory standard.

## Key contents

At a structural level the guide is expected to cover:

- **Audit objectives and principles** — independence, objectivity and full coverage of personal-information processing activities.
- **Audit scope and matters** — the obligations to be examined, mapped to PIPL: lawful basis and consent; notice and transparency; minimum necessity; sensitive-PI handling; automated decision-making; entrusted processing and sharing; cross-border transfer; data-subject rights; security measures; impact assessments; and governance (responsible person, incident response, recordkeeping).
- **Audit method and evidence** — how to plan, gather evidence, test controls and document findings.
- **Audit reporting** — the content and form of the audit report and follow-up on rectification.

> *Editor: verify specific clauses against the published guide.*

## How it fits the regime

The guide operationalizes the **compliance-audit duty** in **PIPL Article 54**, which requires personal-information handlers to periodically audit their compliance with laws and administrative regulations, and **Article 64**, under which regulators may require an audit where processing poses significant risk or an incident occurs. The **Administrative Measures for Personal Information Protection Compliance Audits** flesh out when self-audits versus regulator-mandated audits apply, the cadence, and the use of professional auditing bodies.

This practice guide supplies the **audit content and method** that those instruments assume — the checklist auditors work through. For overseas compliance teams, it is the reference for scoping and running a PIPL compliance audit (or preparing to be audited), and it complements the impact-assessment standard (GB/T 39335), GB/T 35273 and the sensitive-PI standards.
