On May 8, 2026, the Ministry of Science and ICT (“MSIT”) announced a tentative list of 693 companies that will be subject to mandatory information security disclosure obligation for 2026 under the Act on Promotion of Information Security Industry (the “Information Security Industry Act”). The number of companies subject to the mandatory disclosure obligation has increased by 27 compared to the previous year, particularly due to an expansion of entities captured under the revenue and user-threshold criteria.

In addition, on May 11, 2026, MSIT issued a public re-notice of proposed amendments to the Enforcement Decree of the Information Security Industry Act, which proposes to significantly expand the scope of entities subject to the mandatory disclosure obligation by removing the KRW 300 billion revenue threshold requirement and extending the obligation to all companies listed on the KOSPI and KOSDAQ markets. The proposed amendments also remove the existing exemptions for public institutions, small enterprises, financial business operators, and electronic financial business operators, and add companies subject to mandatory ISMS certification obligation to the scope of mandatory disclosure entities. Accordingly, the scope of entities subject to the mandatory disclosure obligation is expected to expand substantially from 2027. We provide below a brief overview of the disclosure obligations and recent relevant regulatory developments for your reference.
 

• Investments in information security;

• Dedicated information security personnel;

• Information security certifications, evaluations, and inspections;

• Activities relating to information security and organization operation; and

• Matters concerning information security related strategy, governance and infrastructure.
   

Entities subject to the mandatory disclosure obligation are required to disclose relevant materials through the Information Security Disclosure Portal (Link) by June 30, 2026. Failure to comply with the disclosure obligation may result in administrative fines of up to KRW 10 million.
 
In particular, recent disclosure practices have evolved beyond simple quantitative reporting. Companies are now expected to provide more detailed narrative disclosures regarding their information security governance structure, organizational framework, infrastructure, incident response systems, and security strategies.
 

• Expansion of mandatory ISMS-P certification requirements for large-scale personal information processors;

• Introduction of a tiered certification framework (enhanced/standard/simplified certification);

• Strengthening of technical examinations, including vulnerability assessments and penetration testing;

• Expansion of on-site verification and operational testing during certification reviews;

• Enhanced continuous monitoring and post-certification supervision;

• Certification revocation and strengthened post-incident examination in the event of a major breach incident; and

• Introduction of tailored review regime for specialized areas such as AI and cloud sector.
   

In light of the above changes, it is expected that future ISMS/ISMS-P certification examinations will place greater focus on the review of security practices in actual operation, vulnerability management, management of internet-facing assets, and incident response systems, rather than mere documentation-based or “snapshot” reviews.
 

• ISMS/ISMS-P certification status;

• Information security governance and organizational structure;

• Vulnerability management and incident response systems; and

• Internal documentation supporting disclosure narratives and certification requirements.

[Korean Version]