On December 6, 2025, the Ministry of Science and ICT (“MSIT”) and the Personal Information Protection Commission (“PIPC”) announced their plans to reform the existing certification systems for the information security management system (“ISMS”) and the personal information protection system (“ISMS-P”). This announcement comes on the heels of a series of large-scale data breach incidents that have occurred at ISMS/ISMS-P-certified companies and is expected to impact both the already-certified companies and future applicants.

The MSIT and PIPC outlined four primary areas of reform:
 

• Mandatory Certification: Major public and private personal information processing systems (e.g., major public systems, telecommunications service providers, online platforms) must now obtain the previously optional ISMS-P certification.

• Strengthened Standards: The government will apply stricter certification standards to services that significantly impact the public, such as telecommunications service providers and large online platforms.

• Improved Audit Method: The new process will verify key items during the preliminary audit stage and enhance technical and on-site audits.

• Stronger On-going Management Requirements: The government will significantly strengthen the on-going obligations of certified companies to manage their information security system.

To implement these changes, the government plans to amend the Personal Information Protection Act and the Act on Promotion of Information and Communications Network Utilization and Information Protection.
 

 
Regarding post-certification audit, the government plans two key actions:
 

• Conduct timely and in-depth ex post facto audits in case a certified company experiences a data breach to verify compliance with certification standards.

• Revoke certification following a Certification Committee deliberation and resolution if the audit uncovers material non-compliance with the certification standards.

 
The government will also double the number of employees and the audit period, prioritizing inspections into the root cause of cybersecurity incidents and preventative measures.
 

• Starting this month, the PIPC will conduct on-site inspections of all certified companies that have experienced a data breach.

• For companies already under investigation, the PIPC and the public-private joint investigation team (including the MSIT and certification agencies such as the Korea Internet and Security Agency and Financial Security Agency) will jointly conduct an on-site inspection to verify compliance with certification standards.
   

The MSIT recently directed over 900 ISMS-certified companies (e.g., telecommunications service providers, online shopping malls) to perform an emergency self-inspection, including security vulnerability checks of all Internet connections. The MSIT plans to conduct on-site inspections of these self-assessment results beginning early next year.

Given the announced plans for reform, companies that plan to obtain or renew ISMS or ISMS-P certifications, or those requested by the MSIT to conduct an emergency self-inspection,should thoroughly review their personal information security management systems to ensure compliance with applicable laws and regulations.
 

[Korean Version]