[Public Voices] The Era of Food, Clothing, Shelter, and IT: Why ISMS-P Certification Is Essential

Since the birth of humanity, only about 30 years have passed since the cyber world became active. In that short time, the network-connected information and communication environment has become indispensable to our lives, and activities through the internet are transforming human life itself. It is now a world where adding IT alongside the three essential elements of human life?food, clothing, and shelter?is not awkward. To create a new era in an environment humanity has never experienced before, a new order suited to it is necessary, and the cyber world is no exception.

Through various websites and apps installed on the smartphones or PCs we use, we communicate via SNS, shop, and print official documents?‘minor’ daily activities that may harbor ‘not-so-minor’ threats. Recently, from a national security perspective, hacking attacks and defenses occur constantly, creating issues from various viewpoints including diplomacy, economy, and trade.

The ISMS-P (Information Security Management System and Personal Information Protection) certification system is the most basic yet effective means to respond to these threats in the cyber world. In an environment where the state cannot handle all information security issues on behalf of organizations, it is the best solution as it instills the skills to ‘fish’ within organizations themselves, enabling them to improve independently.

The certification system inherits the form of ISO international standards, designed to secure independence, objectivity, and expertise, and includes most of the necessary elements for information security. The certification criteria cover the establishment and operation of management systems, protection measure requirements, and personal information processing stage requirements, including administrative, technical, physical aspects, and personal information protection measures.

Currently, organizations with high dependence on information and communication networks and handling large amounts of sensitive information such as personal data, including those with annual sales or revenue exceeding 150 billion KRW meeting certain conditions, as well as information and communication network service providers (ISPs), integrated data center (IDC) operators, and information communication service providers meeting certain criteria such as sales or user numbers, are required to obtain ISMS certification. The certification audit team, composed of the country’s top information security experts, visits the target organizations directly to verify actual implementation and issues certificates when management is at an appropriate level.

However, certification does not guarantee that hacking incidents or personal information leaks will not occur. While operations may have been appropriate at the time of certification, subsequent changes in services or organizational environments may not be properly addressed, and there are limitations in that a limited period and a limited number of auditors cannot thoroughly check every aspect. Nevertheless, having a certain level of security system in place prepares organizations to defend themselves and, when problems arise, to secure resilience and build sustainable organizations or services.

From the user’s perspective, using certified companies can be helpful as they offer relatively more trustworthy services than uncertified, potentially insecure ones. From a national standpoint, it is the most effective system to ensure citizens’ cyber safety from problems arising in the complexly connected networks and internet, and to secure an appropriate level of security amid inter-state cyber territorial conflicts. In particular, it is necessary to mandate ISMS-P certification for national and public institutions managing information more critical than the private sector, and to implement various measures to improve the quality of certification audits and the sustainability of the system.

Park Naryong, Director of the Security Strategy Research Institute

© The Asia Business Daily(www.asiae.co.kr). All rights reserved.