How China’s Top Bank Secured Dual DevOps & DevSecOps Certifications

Background

On May 29, 2024, China’s central internet regulator, market supervision administration, and Ministry of Industry and Information Technology released the Information Standard Construction Action Plan (2024‑2027) , emphasizing internationalization of IT standards and coordination between domestic and global standards such as ISO, IEC, and ITU.

DevOps Dual‑Certification Initiative

The China Academy of Information and Communications Technology (CAICT) launched a synchronized assessment based on ITU DevOps international standards and the domestic DevOps maturity model, enabling mutual recognition of standards. This assessment upgrades scope, certification, and reporting to meet national policy.

Bank of Communications Achievements

At the 5th IT Governance Leadership Forum (Dec 17, 2024, Beijing), CAICT announced that Bank of Communications (BoC) passed the dual‑certificate evaluation for both ITU DevOps international standards and the domestic DevOps standard.

Performance‑Measurement Platform : BoC’s software‑center measurement platform, built on a data‑driven, full‑lifecycle approach, now monitors key metrics such as build success rate, test coverage, code defect rate, deployment frequency, mean time to deploy, and failure rate. Real‑time dashboards enable rapid bottleneck detection and root‑cause analysis, improving release stability and efficiency.

Security Development Support Platform : The platform passed ITU DevOps and domestic DevOps assessments for security and risk management, achieving an “Excellent” rating. It integrates open‑source component scanning, static and dynamic application security testing, infrastructure security testing, and interactive testing, establishing BoC as the first state‑owned bank with dual DevSecOps certification.

Continuous‑Testing Project : The “Huimin Medical Service” product, a digital credit‑payment solution for insured users, also achieved ITU DevOps and domestic continuous‑testing level‑3 certification, demonstrating BoC’s capability in automated testing, tool integration, and data‑driven quality improvement.

Impact and Scope

To date, BoC has completed 22 CAICT DevOps standard assessments, covering continuous delivery (8), security & risk management (1), system & tool standards (7), continuous testing (1), and performance measurement (5). These results illustrate the bank’s leadership in adopting standardized, data‑driven DevOps practices aligned with national digital‑finance strategies.