Comprehensive Overhaul of Information Security Certification Program: Expanded Mandatory Scope and Introduction of Three-Tier Certification System
"Measures to Enhance the Effectiveness of the ISMS·ISMS-P Certification System"
Mandatory Certification for High-Impact Sectors such as Telecom Operators
Continuous Monitoring and Certification Revocation for Unaddressed Deficiencies
The government is set to completely overhaul the Information Security Management System and Personal Information Protection Management System (ISMS·ISMS-P) certification program, which has been criticized as ineffective. The core of the reform is to shift the existing document-based assessment method to an on-site, continuous inspection system. The range of entities required to obtain certification will also be expanded.
Ryu Jemyung, Vice Minister of Science and ICT (left), and Song Kyunghui, Chairperson of the Personal Information Protection Commission, are speaking at the 'Information Security and Personal Information Protection Management System (ISMS·ISMS-P) System Improvement Meeting' held on the 12th at HJ Business Center in Gwanghwamun, Seoul. Photo by Noh Kyungjo
View original imageThe Personal Information Protection Commission and the Ministry of Science and ICT announced these measures during the Economic Ministers’ Meeting held at the Seoul Government Complex on April 10, introducing the “Measures to Enhance the Effectiveness of the Information Security and Personal Information Protection Management System Certification Program.”
The ISMS·ISMS-P certification is a system that certifies whether the information protection and personal information management systems established and operated by companies and institutions are appropriate. Through ISMS·ISMS-P certification, organizations identify their information assets, organize personal information processing flows, and manage potential security risks. However, the effectiveness of the system has recently come under scrutiny following a series of personal information leaks at telecom operators and major platforms that had obtained the certification.
In response, the government has decided to pursue four key initiatives: making certification mandatory and strengthening standards, reforming the assessment process, reinforcing post-certification management, and improving the quality of assessments. First, the scope of entities required to obtain certification will be expanded, focusing on operators with significant impact on the public. ISMS-P certification will be made mandatory for major public system operators, mobile network operators, identity verification agencies, and large-scale personal information processors, taking into account factors such as sales volume and the scale of personal information handled. The government will gradually broaden the scope of these requirements.
The certification system will be differentiated based on risk levels. Moving away from a one-size-fits-all standard, a three-tier system—“Enhanced Certification,” “Standard Certification,” and “Simplified Certification”—will be introduced. For the enhanced certification group, which has a significant impact on the public, stricter standards and assessment methods will be applied. The scope of certification will also be gradually expanded to ensure that all equipment and facilities related to certified services are included. In particular, critical digital assets that are connected to external networks and could serve as attack vectors must be included in the certification scope.
The assessment process will shift to an on-site approach. A preliminary review will be conducted before the main assessment to check for compliance with key certification standards in advance. Technical assessments such as vulnerability diagnosis and penetration testing will be expanded. On-site verification methods, including real-time demonstrations, will be introduced to check the actual level of security management. The number of assessors and the assessment period will be increased; on-site inspections will be strengthened for the standard certification group, and dedicated vulnerability assessment teams will be assigned to the enhanced certification group to carry out detailed inspections of high-priority information assets.
Furthermore, the government will move away from the “snapshot” method of only checking compliance at a single point in time during the assessment and will establish a regular, ongoing inspection system to ensure that security standards are maintained even after certification is granted. A system will be introduced for sharing incident histories between the government and certification bodies. In the event of a major incident, a thorough assessment will be conducted after the government’s investigation and action, including the cause, corrective measures, and plans to prevent recurrence. If significant deficiencies are not addressed within a set period, certification will be revoked.
The management responsibility of assessment bodies and the professional development of assessors will also be strengthened. After each assessment, a reliability survey of the assessment body will be conducted, and the results will be reflected in the allocation of assessments for the following year, encouraging assessment bodies to manage quality independently. Items related to assessment quality will be reflected in the designation and re-designation evaluations to prevent poor-quality assessments, and strict annual follow-up checks will ensure compliance with designation standards by assessment bodies.
The two ministries plan to proceed with follow-up measures, including amendments to enforcement ordinances and notifications. The aim is to implement the new post-certification management system—including continuous inspections and stricter certification revocation criteria—in the second half of this year, and to roll out mandatory ISMS-P certification and the differentiated certification system starting next year.
Hot Picks Today
"It's Not Just Housing Costs: The Real Culprit Behind the Plummeting Birth Rate Revealed"
- What Good Is Sheer Volume?... Even with 450 Trillion Won Poured In, Samsung and SK Hynix Remain Unmatched [Chip Talk]
- SK Shares Soar from 160,000 to 600,000 Won...What Will Happen to the Choi Taewon–Noh Soyoung Property Division?
- Everything He Eats Sells Out... Even Snacks with Sales Soaring Over 700% [Now Buying Habits]
- Get 2,000 Won Back on Purchases Over 10,000 Won... Essential Tips for Office Workers to Save on Meals [The Essentials of Benefits]
Song Kyunghui, Chairperson of the Personal Information Protection Commission, stated, "Starting with these measures to enhance effectiveness, we will improve the certification program as a key preventive mechanism for personal information protection, thereby creating a digital environment where the public can feel secure."
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
