1.

What is an ISMS certification?

An ISMS certification certifies that a company’s IT management system has achieved the required levels of stability, security, and reliability as mandated by the Network Act. This certification is issued by the Korea Internet & Security Agency (“KISA”) – the certifying body – after a thorough review of the company’s technical, administrative, and physical security measures. 
 

2.

Who must obtain an ISMS certification?

An ISMS certification is mandatory for internet service providers, internet data center operators, certain hospitals and schools, and, more broadly, both domestic and overseas companies providing online services in Korea that meet either of the following conditions:

3.

Deadline and Duration: 

The deadline for ISMS certification is August 31 of the year following the date when the obligation was triggered. For example, if a company with a fiscal year running from November to October met the revenue threshold during the November 2023 – October 2024 fiscal year, it must obtain ISMS certification by August 31, 2025.

For multinational companies, the certification process typically takes a minimum of nine to ten months from the start of preparation to certification approval. This is due to the need for close internal coordination among local, regional, and headquarters personnel, as well as the necessity of language translations throughout the process. Moreover, for multinational companies, preparing and applying for ISMS certification is often challenging and time-consuming, as it may require making changes to their IT systems to meet local demands tailored to Korean law requirements. 
 

4.

Penalty and Risks: 

Failure to obtain ISMS certification by the deadline can result in a corrective order and/or an administrative fine of up to KRW 30 million (approx. USD 23,000), even for a first-time violator. Furthermore, this fine is not a one-time penalty. It will be imposed annually at the same amount until the certification is obtained. 

More importantly, in the event of any personal information breach or leakage, non-compliance could lead to heightened scrutiny during investigations. Additionally, in the event of litigation concerning damages, there is a higher likelihood that negligence could be more easily established.  
 

5.

What is an ISMS-P certification?

An ISMS-P certification is a voluntary certification that combines both ISMS and Personal Information Management System certifications into a single review process. By obtaining this certification, a company can show that it complies with the information security and personal data protection standards required by the Network Act and the Personal Information Protection Act.

However, please note that since ISMS-P certification is voluntary, companies can define the scope of their certification based on their needs. This means that the review and certification will be limited to this specified scope.

According to the statistics announced by the KISA, 25% of applicants for ISMS certification voluntarily have applied for ISMS-P certification as well. This trend reflects the growing interest in ISMS-P and the rising success rate of companies obtaining this certification.
 

6.

Anticipated benefits:

Obtaining ISMS or ISMS-P certifications can significantly benefit companies by enhancing the reliability of their information security and personal data protection measures, as well as mitigating potential legal, regulatory, and compliance risks.

Particularly with ISMS-P certification, companies can benefit from a reduction in administrative penalties by up to 40% in the event of a personal information breach or leakage, as it serves as reliable evidence of compliance with relevant laws and regulations. Given the recent trend of increasing administrative penalties imposed by the Personal Information Protection Commission (“PIPC”), obtaining ISMS-P can help minimize companies’ financial and business risks. For example, this May, the PIPC imposed an administrative penalty of approximately KRW 15.14 billion (around USD 11.6 million) on an internet service provider. 

Furthermore, applying for this certification provides companies the opportunity to thoroughly examine the entire lifecycle of personal information they collect and process, and ensures compliance with evolving privacy laws and regulations in South Korea.