The government will overhaul the Information Security and Personal Information Protection Management System (ISMS and ISMS-P) certification scheme. It will mandate ISMS-P for key personal data processing systems and strengthen certification audits.

The Ministry of Science and ICT and the Personal Information Protection Commission announced a plan to strengthen the effectiveness of the ISMS and ISMS-P certification scheme at an Economic Ministers' Meeting on Thursday. The overhaul focuses on expanding mandatory certification and tightening standards, strengthening audit methods, strengthening post-certification management and ensuring audit quality.

ISMS-P certification to be mandated; on-site-focused audits

The government will mandate ISMS-P certification for key personal data processing systems in the public and private sectors. Targets will include major public system operators under the Personal Information Protection Act, mobile carriers, identity verification agencies and large-scale personal data processors based on revenue and the scale of personal data processing.

It will build a risk-based, differentiated management system. It will establish an enhanced certification and restructure the framework into three tiers: enhanced, standard and simplified. The enhanced tier, which has a large impact on people’s daily lives, will apply stricter standards and audit methods than before. The certification scope will be expanded in phases to ensure equipment and facilities related to certified services are fully included. Digital assets connected to the external internet will be required to be included in the certification scope.

Audit methods will also be tightened. At a preliminary review stage before the main audit, auditors will check in advance certification standards that must be confirmed and decide whether to proceed with the main audit. Technical review methods such as vulnerability assessments and penetration testing will also be applied. Through preliminary screening before the main audit, key items will be checked and entry to the main audit will be blocked if standards are not met. Technical audits such as vulnerability assessments and penetration tests will be introduced, and on-site verification such as real-time demonstrations will be strengthened.

The scheme will move away from a document-focused approach and apply on-site, real-time verification methods such as confirming live demonstrations. It will also increase audit staffing and duration. For enhanced certification, separate vulnerability inspection personnel will be deployed to closely examine key information assets, and the inspection scope will be expanded.

Stronger post-certification management, higher audit expertise

Post-certification management will also be significantly strengthened. Moving away from the existing snapshot-style checks, the government will continuously monitor whether security levels are maintained after certification. It will standardise periodic inspection forms and closely examine them during follow-up audits. In the event of a serious security incident, certification audits will be temporarily suspended and, after a government investigation, audits will be re-verified with expanded staffing and time. Standards will be specified to allow certification cancellation if serious defects are confirmed.

The government will focus on strengthening audit institutions’ management responsibility and developing auditors’ professional capabilities. It will conduct credibility surveys of audit institutions and reflect the results in the following year’s allocation of audits. Compliance with designation standards for audit institutions will be checked annually. For auditors, it will strengthen practical training and reflect field-specific expertise such as artificial intelligence and cloud in the management framework. It will also pursue improvements in working conditions.

The Ministry of Science and ICT and the Personal Information Protection Commission will revise enforcement decrees, public notices and guidelines and take follow-up measures such as securing relevant budgets to 추진 this plan. From the second half of this year, it will first apply matters related to post-certification management, including stronger continuous monitoring and certification cancellation. The expansion of mandatory certification and the differentiated certification framework are planned to take effect from 2027.

PIP Commission Chairperson Kyung-hee Song (송경희) said, "We will improve the certification scheme into a core preventive tool for personal information protection and build a digital environment where people can feel safe."

Ryu Je-myung (류제명), second vice minister of the Ministry of Science and ICT, said, "The information security management system certification scheme is a key safety device that enables people to use digital services with confidence." He added, "We will enhance the effectiveness of the certification scheme and develop it into a certification framework that people can trust."