ISMS-P Certification to Become Mandatory with Stricter Standards; Special Inspection for Coupang

Going forward, telecommunications companies and major online platforms will be required to obtain ISMS-P certification, which demonstrates that they have established personal information protection management systems. In particular, companies with significant public impact will be subject to strengthened certification standards. Coupang, which currently holds ISMS-P certification, will undergo on-site inspections to assess its compliance with certification standards.

Song Kyunghee, Chairperson of the Personal Information Protection Commission, is delivering opening remarks at the meeting on ISMS-P certification improvement held at the Government Complex Seoul on the afternoon of the 6th. Photo by Personal Information Protection Commission

The Ministry of Science and ICT and the Personal Information Protection Commission announced on December 6 that they held a meeting with relevant ministries and will pursue a comprehensive overhaul of the system to enhance the effectiveness of certification. This decision comes in response to repeated incidents of hacking and large-scale personal information leaks at companies with ISMS-P certification.

First, ISMS-P certification, which was previously voluntary, will become mandatory for major public and private personal information processing systems, establishing a continuous safety framework. This will apply to key public systems and entities such as telecommunications companies and online platforms that handle large volumes of sensitive personal information, including resident registration numbers.

In particular, strengthened certification standards will be developed and applied to companies with significant public impact. The Ministry of Science and ICT and the Personal Information Protection Commission plan to amend the Personal Information Protection Act and the Information and Communications Network Act to facilitate these changes.

The review process will also be comprehensively strengthened. At the preliminary review stage, core items will be pre-verified, and technical and on-site verification reviews will be enhanced. The expertise of the certification process will be improved by operating sector-specific certification committees and providing new technology training, such as artificial intelligence (AI), to auditors.

Additionally, post-certification management will be significantly reinforced. In the event of a data breach at a certified company, a special post-certification review will be conducted promptly to determine whether certification standards are still being met. If significant defects in certification standards are discovered during the post-certification review, the certification will be revoked following deliberation and resolution by the certification committee. For companies experiencing incidents, the number of personnel and the duration of post-certification reviews will be doubled, with a focus on investigating the causes of the incident and the implementation of preventative measures.

The Personal Information Protection Commission will begin on-site inspections of certified companies that have experienced data breaches starting this month. In particular, for companies like Coupang that are currently under investigation, compliance with certification standards will be checked by the certification body in coordination with the joint public-private investigation team and the Personal Information Protection Commission's investigation. The certification bodies responsible for certification reviews and issuing certificates are the Korea Internet & Security Agency (KISA) and the Financial Security Institute.

© The Asia Business Daily(www.asiae.co.kr). All rights reserved.