Skip Navigation
KO EN JP CN
Intellectual Property Careers
Menu
Intellectual Property Careers
Locations Contacts
Close
Search
Newsletters

PIPC and MSIT Clarify Standards for ISMS/ISMS-P Certification Revocation

2026.01.02
Audio Print

On December 29, 2025, the Personal Information Protection Commission (“PIPC”) and the Ministry of Science and ICT (“MSIT”) convened an interagency meeting on ISMS/ISMS-P certification revocation together with the Certification Committee, which includes certification bodies such as the Korea Internet & Security Agency (“ KISA”), the Financial Security Institute, and private sector experts.
 
This meeting was a follow-up to the December 6, 2025 interagency meeting on improving the ISMS/ISMS-P certification system. The initiative responds to growing concerns about the need for stricter post-certification oversight, particularly in light of recent cyber incidents and personal data breaches at ISMS-P certified companies. Key discussions included:
 

1.

Enhanced Focus on Core Areas During Post-Certification Audits

Authorities will conduct targeted reviews of critical areas directly linked to security incidents during annual post-certification audits, including identification of external internet-facing assets, access control management, and patch management. Certification will be revoked if companies fail to cooperate with post-certification oversight, refuse audits, fail to submit required materials, or submit false information. Certification may also be revoked following Certification Committee review if critical deficiencies are identified during inspections.
 

2.

Certification Revocation Standards for PIPA Violations
 
Where a certified company is sanctioned for violating the Personal Information Protection Act (“PIPA”), its certification may be revoked based on the severity of the violation. Certification will be revoked as a matter of principle in the following cases:
 

  • Incidents affecting 10 million or more individuals

  • Repeated violations

  • Intentional or grossly negligent violations with significant social impact
     

Separately, amendments to the Network Act are underway to enable certification revocation for serious violations of that law as well. Detailed standards will be established once the amendments take effect.
 

3.

Post-Revocation Management
 

Category

Measures

Mandatory certification entities

One-year grace period before reapplication required; administrative fines for non-compliance waived during this period

Voluntary certification entities

Encouraged to recertify to maintain ongoing management systems

 

4.

ISMS-P Mandatory Certification Developments

While ISMS-P certification is currently voluntary, amendments to the PIPA that would mandate certification for major public and private sector data controllers passed the National Policy Committee on December 17, 2025.
 

Key Takeaways
 
These measures signal a significant strengthening of post-certification oversight for ISMS/ISMS-P certified companies. Companies holding ISMS/ISMS-P certification should carefully review their compliance with certification standards and enhance their security management systems, as certification may be revoked both for critical deficiencies in key areas following cyber incidents or data breaches, and for PIPA violations resulting in penalties.

 

[Korean Version]

Related Topics

#ISMS #ISMS/ISMS-P Certification #ISMS-P

List

Share

Close

Professionals

CLose

Professionals

CLose