Government: "ISMS-P Certification to Be Revoked for Repeated or Major Personal Data Breaches"

View original image

Going forward, even companies that have obtained ISMS-P certification will have their certification revoked if they commit serious legal violations, such as leaking the personal information of more than 10 million people.

The Ministry of Science and ICT and the Personal Information Protection Commission announced on December 29 that they will hold a countermeasure meeting on the cancellation of Information Security Management System and Personal Information Management System (ISMS·ISMS-P) certifications with the Certification Committee.

The relevant agencies, reflecting concerns over the frequent cyber breaches and data leaks at ISMS-P certified companies such as SK Telecom and Coupang, have been building a collaborative system to strengthen post-certification management.

Through this countermeasure meeting, they plan to finalize and immediately implement the detailed standards for certification cancellation that have been under discussion.

The main discussion points are as follows. First, key items closely related to actual incidents-such as identification of external internet-facing assets, access rights management, and patch management-will be intensively inspected during the annual post-certification review for certified companies.

If a company refuses to comply with post-certification management, fails to submit required materials, or submits false information, its certification will be revoked. In addition, if a major defect is found as a result of the inspection, the Certification Committee will review the case and may revoke the certification.

If a certified company is penalized for violating the Personal Information Protection Act, the severity of the violation will be assessed, and the certification may be revoked. In particular, if there is harm to more than 10 million people, repeated legal violations, or intentional or grossly negligent violations with significant social impact, certification will, in principle, be revoked.

Measures for post-cancellation management will also be established. For companies subject to mandatory certification, a one-year grace period for reapplication will be provided after cancellation to encourage substantial security improvements.

During this period, fines for failing to meet certification obligations will be waived to prevent unnecessary burdens on companies. In addition, companies not subject to mandatory certification will be advised to reacquire certification to establish a continuous management system.

Hot Picks Today

"Rather Than Endure a 1.5 Million KRW Stipend, I'd Rather Earn 500 Million in the U.S." Top Talent from SNU and KAIST Are Leaving [Scientists Are Disappearing] ①

• "Not Jealous of Winning the Lottery"... Entire Village Stunned as 200 Million Won Jackpot of Wild Ginseng Cluster Discovered at Jirisan
• "I'll Stop by Starbucks Tomorrow": People Power Chungbuk Committee and Geoje Mayoral Candidate Face Criticism for Alleged 5·18 Demeaning Remarks
• Iranian Military Spokesperson: "Ceasefire Was an Opportunity to Strengthen Forces... Ready to Respond to War"
• "How Did an Employee Who Loved Samsung End Up Like This?"... Past Video of Samsung Electronics Union Chairman Resurfaces

A representative from the Personal Information Protection Commission stated, "We will continue to strictly manage the system so that companies failing to meet certification standards or committing serious violations cannot retain their certification, thereby restoring the credibility of the certification system through ongoing cooperation."

© The Asia Business Daily(www.asiae.co.kr). All rights reserved.