Key Items to Be Intensively Inspected During Annual Post-Certification Review
Certification to Be Revoked for Refusal of Post-Management or Discovery of Defects
Certification Also to Be Revoked for Intentional or Grossly Negligent Violations
Going forward, even companies that have obtained ISMS-P certification will have their certification revoked if they commit serious legal violations, such as leaking the personal information of more than 10 million people.
The Ministry of Science and ICT and the Personal Information Protection Commission announced on December 29 that they will hold a countermeasure meeting on the cancellation of Information Security Management System and Personal Information Management System (ISMS·ISMS-P) certifications with the Certification Committee.
The relevant agencies, reflecting concerns over the frequent cyber breaches and data leaks at ISMS-P certified companies such as SK Telecom and Coupang, have been building a collaborative system to strengthen post-certification management.
Through this countermeasure meeting, they plan to finalize and immediately implement the detailed standards for certification cancellation that have been under discussion.
The main discussion points are as follows. First, key items closely related to actual incidents-such as identification of external internet-facing assets, access rights management, and patch management-will be intensively inspected during the annual post-certification review for certified companies.
If a company refuses to comply with post-certification management, fails to submit required materials, or submits false information, its certification will be revoked. In addition, if a major defect is found as a result of the inspection, the Certification Committee will review the case and may revoke the certification.
If a certified company is penalized for violating the Personal Information Protection Act, the severity of the violation will be assessed, and the certification may be revoked. In particular, if there is harm to more than 10 million people, repeated legal violations, or intentional or grossly negligent violations with significant social impact, certification will, in principle, be revoked.
Measures for post-cancellation management will also be established. For companies subject to mandatory certification, a one-year grace period for reapplication will be provided after cancellation to encourage substantial security improvements.
During this period, fines for failing to meet certification obligations will be waived to prevent unnecessary burdens on companies. In addition, companies not subject to mandatory certification will be advised to reacquire certification to establish a continuous management system.
A representative from the Personal Information Protection Commission stated, "We will continue to strictly manage the system so that companies failing to meet certification standards or committing serious violations cannot retain their certification, thereby restoring the credibility of the certification system through ongoing cooperation."
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
