SEOUL – The South Korean government has announced a stringent overhaul of the national information security certification system. Under the new measures, companies that suffer massive personal data leaks involving more than 10 million people will face immediate revocation of their security certifications.
The Ministry of Science and ICT and the Personal Information Protection Commission (PIPC) held a joint meeting on the 29th with the Korea Internet & Security Agency (KISA) and the Financial Security Institute to finalize the revised criteria for the Information Security Management System (ISMS) and ISMS-P (Information Security & Personal Information Protection Management System).
Restoring Public Trust
The reform comes in response to growing criticism that the current certification system is "toothless," as several ISMS-P-certified companies, including e-commerce giant Coupang, have repeatedly suffered major data breaches. To restore the system's effectiveness, the government will shift its focus to "post-incident accountability."
Under the new guidelines, authorities will conduct annual post-audit inspections focusing on critical security items directly linked to real-world cyberattacks, such as asset identification of external internet access points, access control permissions, and security patching.
Strict Revocation Thresholds
The government clarified that certifications will be revoked in the following cases:
Massive Leaks: When a breach affects more than 10 million individuals.
Gross Negligence: In cases of repeated legal violations or when social harm is significant due to intentional or gross negligence.
Non-compliance: If a company fails to implement corrective measures identified during audits or submits false data.
Furthermore, legislative amendments are underway to allow for certification revocation even when a company violates the Information and Communications Network Act in a significant manner.
A Grace Period for Improvement
Once a certification is revoked, the company will be barred from re-applying for one year. This "cool-off" period is designed to force companies to focus on substantial security improvements rather than simply regaining the credential. To encourage this transition, the government will temporarily waive administrative fines for failing to maintain the mandatory certification during this one-year period.
"The solidarity of our security management system is essential for digital trust," a government official stated. "This overhaul ensures that the ISMS-P badge is not just a formality, but a genuine indicator of a company’s commitment to protecting user data."
[Copyright (c) Global Economic Times. All Rights Reserved.]
