[Asia Economy Reporter Seolgina Jo] The Personal Information Protection Commission announced on the 28th a partial amendment to the Notification on Information Security and Personal Information Protection Management System Certification (ISMS-P Certification Notification). The main point of the amendment is to improve the system by reducing the burden on certified companies while enhancing the substance of personal information and information security.
The 'ISMS-P Certification' is a national certification system that certifies whether a company's self-established and operated information security and personal information protection management system is appropriate. As of the end of November, 830 companies have been certified.
The amendment focuses on resolving similar and overlapping inspections continuously requested in the field, improving the announcement procedure for designating audit institutions, strengthening post-management of certification and audit institutions, and preparing detailed inspection items by sector to respond to new technological changes. With this amendment, subcontractors who have obtained ISMS-P certification will be exempt from repeated on-site inspections whenever their contracting companies undergo ISMS-P certification audits.
First, subcontractors who have obtained ISMS-P certification will not need to undergo additional on-site inspections even if their contracting companies undergo certification audits. Until now, companies had to undergo certification audits at least once a year during the three-year validity period, which imposed a heavy burden on subcontractors due to repeated on-site inspections. From now on, for example, a courier company with three contracting clients only needs to undergo one certification audit and will not be subject to additional on-site inspections each time the clients undergo certification audits.
Additionally, the procedure for announcing the designation of audit institutions, which was previously conducted only during specific periods through separate announcements, has been improved so that institutions wishing to be designated as audit institutions can apply at any time. This is expected to expand the number of audit institutions with expertise and capabilities and actively respond to the increasing demand for certification.
Furthermore, as a measure to strengthen post-management of certification and audit institutions, on-site inspections will be conducted to verify whether certification and audit institutions meet the designation criteria, and corrective action orders can be issued for any deficiencies. A new provision has been established requiring that if a certification or audit institution has its designation canceled or is ordered to suspend operations, this fact must be announced in the official gazette or on the websites of the Personal Information Protection Commission or the Ministry of Science and ICT. This is expected to strengthen the supervision system for audit institutions and standardize the quality of audits across different institutions.
Shin Jong-cheol, Director of the Autonomous Protection Policy Division at the Personal Information Protection Commission, said, “With the improvement of the ISMS-P certification system, the burden on companies has been reduced while the substance of the certification system has been strengthened.” He added, “We will continue to improve and develop this system together with the Ministry of Science and ICT so that many companies take an interest in personal information protection, voluntarily obtain ISMS-P certification, benefit their business activities, and enhance public awareness.”
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
