본문 바로가기 메뉴 바로가기

KAIT Korea Association for ICT Promotion Korea Association for ICT Promotion

KR EN
  • Key Programs
  • Information Security and Certification Audits

Personal Information & Information Security Management System Certification

About the Personal Information & Information Security Management System Certification

A certification system that evaluates and certifies whether an organization has systematically established, implemented, inspected, and improved administrative, technical, and physical safeguards to protect information assets and personal information.

Program Objective

To enhance the level of information security within organizations and strengthen personal information protection activities through certification of information security and personal information protection management systems.

Legal Basis

  • Article 47 of the Act on Promotion of Information and Communications Network Utilization and Information Protection
    • * Enforcement Decree Articles 47–54, Enforcement Rule Article 3, Article 32-2 of the Personal Information Protection Act
  • Enforcement Decree Articles 34-2–34-8
  • Notification on Certification of Information Security and Personal Information Protection Management Systems

Operational Basis

  • In accordance with Article 47(6) and (7) of the Act on Promotion of Information and Communications Network Utilization and Information Protection and Article 53-2 of its Enforcement Decree, and Article 32-2(5) of the Personal Information Protection Act and Article 34-6 of its Enforcement Decree, the Korea Information and Communication Technology Association has been designated as an information security and personal information protection management system audit institution (ISMS-P-SIM-02).

인증유형

  • Information Security and Personal Information Protection Management System Certification (ISMS-P)
  • Information Security Management System Certification (ISMS)
  • Information Security Management System Preliminary Certification

Certification Types

Structure diagram of the information security and personal information protection management certification system. The policy institutions — the Ministry of Science and ICT and the Personal Information Protection Commission — are responsible for improving laws and systems, making policy decisions, and designating certification and audit institutions. The certification institutions consist of the Korea Internet & Security Agency (KISA) and the Financial Security Institute (FSI), each with their own certification committee. KISA is responsible for system operation and certification quality management, initial and specialized certification audits, certificate issuance, and the training and qualification management of certification auditors. FSI is responsible for certification audits and certificate issuance in the financial sector. The audit institutions consist of KAIT, TTA, OPA, and NISC, all of which conduct certification audits.

Certification Criteria

Configuration diagram of the information security and personal information protection management system certification criteria. The criteria are organized into three domains. Domain 1, Establishment and Operation of the Management System (16 items): 1.1 Laying the foundation for the management system, 1.2 Risk management, 1.3 Management system operation, 1.4 Management system review and improvement. Domain 2, Protection Measure Requirements (64 items): 2.1 Policy, organization, and asset management, 2.2 Human security, 2.3 Third-party security, 2.4 Physical security, 2.5 Authentication and access rights management, 2.6 Access control, 2.7 Encryption, 2.8 Information system introduction and development security, 2.9 System and service operations management, 2.10 System and service security management, 2.11 Incident prevention and response, 2.12 Disaster recovery. Domain 3, Personal Information Processing Stage Requirements (21 items): 3.1 Protection measures when collecting personal information, 3.2 Protection measures when retaining and using personal information, 3.3 Protection measures when providing personal information, 3.4 Protection measures when destroying personal information, 3.5 Data subject rights management and protection.

Certification Audit Procedure

Flowchart of the information security and personal information protection management system certification audit procedure. The applying institution submits an audit application to the certification institution (KISA) as Step 1, after which Step 2 involves a preliminary review and contract. The certification institution forms an audit team in Step 3 and conducts the certification audit in Step 4, while the applying institution submits remediation results in Step 5. The certification audit team submits an audit result report in Step 6 and requests deliberation and resolution of the audit results from the certification committee in Step 7 (for initial or renewal certification), receives the resolution outcome in Step 8, and the certificate is issued in Step 9. Stage-by-stage details: the application stage requires submission of an application letter, certification application form, management system operation statement, and corporate or individual business registration certificate. The contract stage proceeds in the order of fee calculation, contract signing, and fee payment. The audit stage proceeds in the order of certification audit, combined report, and remediation details. The certification stage involves deliberation and resolution for initial or renewal audits by the certification committee, and ongoing maintenance by the certification institution.

Types of Certification Audits

Flowchart of information security and personal information protection management system certification audit types. Following the initial audit, the cycle proceeds on a three-year basis: a surveillance audit one year later, another surveillance audit one year after that, and a renewal audit one year after that.
Types of Certification Audits
Category Description

Initial Audit

An audit conducted when obtaining certification for the first time. It is also conducted when certification is reapplied for due to significant changes in the certification scope. Upon successful completion, a 3-year validity period is granted.

Follow-up Audit

An audit conducted at least once every year during the certification validity period to verify that the information security management system continues to be properly maintained. Conducting this audit annually is required to maintain the granted 3-year validity period.

Renewal Audit

An audit conducted to extend the validity period of the information security management system certification.

Certification Audit Eligible Applicants

Certification Audit Eligible Applicants
Category Criteria and Legal Basis for Mandatory Applicants

Mandatory Applicants

• Information and Communications Network Service Providers (ISP) Entities licensed under Article 6(1) of the Telecommunications Business Act that provide information and communications network services in Seoul and all metropolitan cities

• Internet Data Center Operators (IDC) Operators of integrated information and communications facilities under Article 46 of the Act on Promotion of Information and Communications Network Utilization and Information Protection

• Advanced general hospitals with annual revenue or income of KRW 150 billion or more, and universities with more than 10,000 enrolled students Advanced general hospitals under Article 3-4 of the Medical Service Act Schools under Article 2 of the Higher Education Act

• Entities with annual revenue of KRW 10 billion or more in the information and communications service sector (previous fiscal year for corporations)

• Entities with more than 1 million average daily users in the previous year

Voluntary Applicants

• Organizations not subject to mandatory certification but wishing to obtain certification voluntarily

Preliminary Certification

• Certification conducted prior to full certification to assess readiness for an information security management system

Certification Exceptions

• Small enterprises under Article 2(2) of the Framework Act on Small and Medium Enterprises

• Medium-sized enterprises with less than KRW 30 billion in revenue in the information and communications service sector

• Medium-sized enterprises with KRW 30 billion or more in revenue in the information and communications service sector but without major ICT infrastructure (e.g., proprietary servers, network equipment, security solutions) used for providing their own services
Directions
  • (06242) 111 Yeoksam-ro, Gangnam-gu, Seoul (Yeoksam-dong, Korea Association for ICT Promotion Building)
  • TEL 02-580-0580
  • FAX 02-580-0599

Ⓒ2026. Korea Association for AI·ICT Promotion. All Right Reserved.