A Virtually Unique Case of Voluntary ISMS-P Certification in the Funeral Service Industry
ISMS Requirements Deemed Met Upon Obtaining Higher-Level ISMS-P Certification
CEO Choi Sunghoon Serves as Both CISO and CPO... Dedicated "IS Team" in Operation
"We continue to hold the highest level of security certification, ISMS-P, officially recognized by the government."
Amid growing concerns over information security vulnerabilities in the funeral service industry following the recent hacking incident at Kyowon Group, Sonostation, which operates the domestic funeral brand "Sono I'm Ready," made this statement on January 27.
As of March 2025, Sonostation forms part of the industry's "Top 5," accounting for over 70% of the sector's total advance payments of 10 trillion won, alongside Woongjin Freed Life, Boram Group, Kyowon Life, and The K Yedaham. In response to recent criticism that "none of the top five companies have obtained the government's ISMS (Information Security Management System) certification," Sonostation countered by explaining that this misunderstanding arose from confusion between ISMS and ISMS-P (Information Security and Personal Information Protection Management System).
You can check Sonostation's certification number, certification scope, and validity period in the Korea Internet & Security Agency's "ISMS-P Annual Certification Issuance Status." Korea Internet & Security Agency
Sonostation first obtained ISMS-P certification in 2022 and renewed its validity period until August 2028 through recertification in August last year. The certification scope covers all customer-facing operations, including Sono I'm Ready, hybrid services, Bucket Market, ceremonial services, sales support services, and call centers.
ISMS and ISMS-P certifications are the representative statutory information security certification systems in Korea. According to Article 47 of the Act on Promotion of Information and Communications Network Utilization and Information Protection, the Ministry of Science and ICT and the Personal Information Protection Commission are responsible for policy, while the Korea Internet & Security Agency (KISA) and others serve as certification bodies for management and operation. Four designated organizations, including the Korea Association for ICT Promotion (KAIT), conduct the certification audits.
ISMS certification is divided into mandatory and voluntary applicants. Information and communication network service providers (ISPs), integrated data center operators (IDCs), and companies that meet certain criteria for information and communication service revenue or user numbers are required to obtain ISMS certification. Once acquired, the certification is valid for three years.
ISMS-P is a higher-level certification than ISMS. While ISMS evaluates the information security management system with a focus on physical and administrative security controls, ISMS-P additionally assesses the safety of each stage of personal information processing, such as collection, use, provision, and destruction. There is also a difference in the number of certification standard items: ISMS has 80, while ISMS-P has 101. The audit fee for ISMS ranges from 8 million to 14 million won, whereas ISMS-P ranges from 10 million to 18 million won. However, even for mandatory applicants, obtaining ISMS-P is voluntary. When a company acquires ISMS-P, it is considered to have also obtained ISMS certification.
It is known that, under current law, there are virtually no companies in the domestic funeral service industry that are subject to mandatory ISMS certification. Therefore, Sonostation’s acquisition of ISMS-P is considered unusual. Sonostation stated, "We have made the protection of our customers' personal information our top priority and voluntarily became the first in the industry to obtain ISMS-P certification."
Sonostation currently operates an information security department called the "IS Team." CEO Choi Sunghoon serves as both the Chief Information Security Officer (CISO) and Chief Privacy Officer (CPO). The company has established a continuous monitoring system and a response system capable of detection, blocking, and recovery to prepare for incidents such as ransomware attacks or personal information breaches. Sonostation has also developed response manuals for each type of incident and conducts regular internal inspections and simulation drills to prepare for real-world incidents.
A KAIT auditor who conducted Sonostation's recertification audit in August last year commented, "It typically takes at least four months of preparation to obtain ISMS-P certification," and added, "When considering the costs of deploying internal personnel and building systems, the actual burden on companies is substantial."
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
![The Special Connection Between the Statue of Martyr Lee Jun in Jangchungdan Park and Mayor Oh Sehoon ③ [Current Affairs Show]](https://cwcontent.asiae.co.kr/asiaresize/319/2026012110001599450_1768957215.jpg)
