The government will significantly toughen the certification systems for the Information Security Management System (ISMS) and the Personal Information and Information Security Management System (ISMS-P). The move follows repeated hacks and massive personal data leaks at certified corporations, including Coupang. The aim is to shift to a more effective certification framework.
At a meeting of related ministries on the 6th, chaired by Personal Information Protection Commission Chairperson Song Gyeong-hee and attended by the second vice minister of the Ministry of Science and ICT and the head of the Korea Internet & Security Agency (KISA), the government finalized plans to strengthen the entire certification process and decided to push legal and institutional reforms.
First, the government will effectively mandate ISMS-P for major public and private personal information processing systems. Until now, it has been a voluntary certification that corporations and institutions could apply for at their discretion. Going forward, the system will be revised to require certification for public systems, telecommunications carriers, and online platforms.
For corporations with a large user base, such as telecom companies and major platform operators, the government will also prepare separate, strengthened certification standards. To do this, it will pursue amendments to the Personal Information Protection Act and the Act on Promotion of Information and Communications Network Utilization and Information Protection. The review method will also change dramatically. From the preliminary review stage, core items will be verified first, and if they are not met, the entity will not be allowed to proceed to the main review.
In the main review, the government will move away from the existing paper-based and sampling approach and strengthen on-site, demonstration-based reviews centered on core systems. It will operate certification committees by sector and expand training on new technologies such as AI for auditors to enhance expertise.
Post-management will also become stricter. If a leak occurs at a certified corporation, a special post-review will be conducted immediately to check whether certification standards are being met. If serious defects are found in the process, certification will be revoked after deliberation by the certification committee.
For corporations involved in incidents, the government will deploy twice the existing number of reviewers and extend the review period to focus on examining the causes and preventive measures. The Personal Information Protection Commission (PIPC) plans to begin on-site inspections of corporations with leaks starting this month.
In particular, for corporations currently under investigation, including Coupang, the government plans to check compliance under the supervision of the certification body in connection with the joint public-private investigation team of the Ministry of Science and ICT and the Personal Information Protection Commission (PIPC).
As a follow-up to the Information Security Comprehensive Measures released in Oct., the Ministry of Science and ICT asked about 900 ISMS-certified corporations in telecom and online shopping, among others, to conduct an emergency self-check of security vulnerabilities at all internet touchpoints. Based on the results of the corporations' checks, the government will begin on-site verification early next year.
Based on the results of discussions by the joint task force of the Ministry of Science and ICT, the Personal Information Protection Commission (PIPC), and certification bodies, which has been operating since last month, and on the results of special inspections, the government plans to revise the relevant notices in the first quarter of next year and implement them in stages.