Song Kyung-hee, Chairperson of the Personal Information Protection Commission, delivers a speech at a meeting held on the 6th at the Government Complex Seoul about improvements to the ISMS-P certification. Provided by the Personal Information Protection Commission.
The Ministry of Science and ICT and the Personal Information Protection Commission announced on the 29th that they discussed the criteria for revoking Information Security Management System (ISMS) and ISMS-P certifications with certification-related institutions such as the Korea Internet & Security Agency, the Financial Security Institute, and private experts.
ISMS is a system that certifies that a company’s measures and activities for protecting information within its systems meet the certification criteria. ISMS-P includes measures and activities for personal information protection. Criticism arose that the certification might be ineffective as incidents of massive personal information leaks occurred repeatedly in certified companies like Coupang. In response, the government announced plans to overhaul the system entirely to increase its effectiveness and consider canceling certifications in the event of major data breach incidents.
The Ministry of Science and ICT and the Personal Information Protection Commission decided to conduct annual follow-up audits to focus on whether certified companies appropriately manage key items closely related to actual incidents, such as identification of external internet contact points, access permissions, and security patches.
Certifications will be canceled if companies fail to address issues identified during audits, do not submit required documents, or submit false information. If significant defects are found as audit results, a review by the certification committee will also lead to cancellation.
The policy particularly emphasizes that if an incident affects more than 10 million people, involves repeated legal violations, or has intentional or grossly negligent conduct with a significant social impact, certification will be canceled as a rule.
Amendments to the law are being pursued to allow certification cancellation in cases where the Information and Communications Network Act is violated and the act is significant.
After cancellation, a one-year re-application suspension period will be implemented to encourage real security improvements. During this period, fines for failing to fulfill certification obligations will be waived.