The Ministry of Science and ICT said on the 20th that it unified the verification procedures required for corporations to enter the public cloud market into a single verification system under the National Intelligence Service. The single system will be fully implemented starting in July next year after about a year of preparation.
Until now, for a cloud service corporation to enter the public market, it had to first obtain the Ministry of Science and ICT's cloud security certification "CSAP" and then undergo the National Intelligence Service (NIS)'s "security verification," but the main point is that the government prepared improvements such as switching to a single verification system. Security verification is a procedure to verify the suitability of security measures established for cloud computing services. The Cloud Security Assurance Program (CSAP) is a system that evaluates and certifies whether cloud computing service providers comply with information security standards for the services they provide.
The Ministry of Science and ICT said that for products certified by CSAP before the single verification system takes effect, it will recognize their validity periods as is, and it will also refine the verification items to match the characteristics of cloud technology to strengthen the security level of public clouds while easing the burden on corporations.
The government will revise the National Cloud Computing Security Guidelines and other rules in the first half of this year to reflect these changes, and after a one-year grace period, it plans to begin full implementation in the second half of 2027.
In addition, to ensure smooth implementation of the new verification regime, a public-private verification review committee composed of officials recommended by the Ministry of Science and ICT and other related agencies as well as experts from industry, academia, and research will assess the fairness and validity of verification results, and the expertise of existing CSAP assessment bodies will be linked to the new system to ensure administrative continuity.
The Ministry of Science and ICT will unify security verification in the public sector under the National Intelligence Service (NIS) standards to enhance security reliability, while in the private sector it plans to integrate the cloud service field into a voluntary security certification within corporations' Information Security Management System (ISMS). The Information Security Management System (ISMS) means that a corporation's IT information assets are managed safely.
The Ministry of Science and ICT said it expects that this system transition will maximize the efficiency of administrative procedures by integrating similar security standards across certifications into one, and create an optimal business environment where corporations can focus more on core service innovation.
Vice Minister Ryu Je-myung of the Ministry of Science and ICT said, "In cooperation with the National Intelligence Service (NIS), we boldly tore down silos between ministries, and through this we will help our corporations clear security hurdles more easily and quickly," adding, "In particular, we will allow a transition period so that existing corporations' investments are not wasted, helping the stable growth of the industrial ecosystem."
Third Deputy Director Kim Chang-seop of the National Intelligence Service (NIS) said, "With this policy, we sought to resolve the difficulties faced by corporations that have suffered from dual regulations, while focusing on raising the security level of public cloud," adding, "We will continue to communicate with the industry so it can take root in a way that eases the burden on corporations."