On January 19, 2023, the Korean Ministry of Science and ICT (“MSIT”) released a revised version of its proposed amendment to the Notification on Cloud Security Assurance Program (“CSAP”), and on January 31, it went into effect. Notable changes from the version that the MSIT announced in December 2022 are summarized below:
Localization requirement: To obtain CSAP certification, the service provider’s cloud computing system and its associated data, backup systems, and management and operating personnel must all be located in Korea.
Security certification of equipment: Common Criteria Certification is no longer mandatory, and equipment whose safety has been confirmed by the National Intelligence Service may be used.
System isolation and segregation of areas: Regular monitoring for unauthorized access to prevent “unexpected communications channels” is required.
While the amendment still allows for logical (as opposed to physical) separation of networks, the above localization requirement is a factor that multinational service providers must address for CSAP clearance.