Korea's CSAP Guide and FAQ Were Revised Together

CompliancePractical Guide

On July 6, KISA's cloud certification team posted two documents together: the Cloud Service Security Certification Guide (2026.07) and the CSAP FAQ (2026.07). They play different roles. The Guide covers how to read each control and what evidence proves it; the FAQ carries how the program itself has changed. And it's the FAQ that hits practice harder.

A SaaS With Generative AI Bolted On Can Still Get Certified

The FAQ got its first revision since it was originally issued in 2023 (2026.05, v1.1), and one of the three reasons for the revision is the generative-AI integration criteria. Here's the gist.

LLM API integration is not restricted. Instead, depending on what data the LLM integration uses (user data vs. public data), evaluators will check, at assessment time, the security activities that keep the certified service's security level from degrading. They even spelled out the relevant controls: 9.2 Virtual Environments, 12.1 Data Protection, 10.1 Access Control Policy, and 14.2.1 Physical Location and Zone Separation.

Why this matters: until now there was no explicit answer to "if I attach generative AI to a public-sector SaaS, what happens to CSAP?" Now there is one. They don't block it, but they treat the path where user data flows out to an external LLM under the data-protection and access-control controls. It's especially notable that 14.2.1 made the list — it reads as a signal that the domestic-only physical-location requirement applies to LLM integration too.

Multi-Cloud Ends With a Paper Review

If you put an already-certified SaaS on a different IaaS with the same configuration and environment, you don't need to get certified again. You file a multi-cloud application with the certification body, they confirm it via a paper review, then add the scope to the certificate and reissue it. You don't get a second certificate — the additional IaaS is named inside the existing certificate. The validity period also stays tied to the original certificate.

For documents, you submit the service operation specification, service certification specification, self-assessment vulnerability specification, and the other materials required at initial assessment, prepared in writing.

For a SaaS vendor who wanted to run on multiple IaaS providers and sell into the public sector, the burden dropped sharply. But there's a "same configuration and environment" condition attached, so if you changed the architecture while moving IaaS, assume you can't take this track.

You Can Run the Vulnerability Assessment Yourself

Self-performed vulnerability assessment also made it into this revision. Summarized:

The self-assessment is performed within six months before the certification assessment. When you apply, you submit only the self-assessment vulnerability specification; the detailed materials like the assessment plan and results are provided as evidence at assessment time. There's no restriction on the tools you use.

The most practical part is this: if you apply with a self-assessment, the assessment body won't re-check it via sampling. Instead, they confirm the results' adequacy through evidence review and interviews — meaning they look at whether the targets, criteria, method, staffing, and duration of the assessment were appropriate.

You can also pick assessment types (CCE, CVE, source code) individually to self-perform. The selectable items differ by certification type; for SaaS, CVE assessment is excluded. Types you don't select are performed by the assessment body.

Handling an EOL/EOS vulnerability by saying "we'll fix it when the product's support ends" is not allowed. Remediation is extended only from the day after the assessment end date for 30 days, up to a maximum of 90 days. If you can't finish within 90 days, the certification assessment may be suspended.

The Guide Reorganized the Controls

The controls themselves didn't grow or shrink. The structure is unchanged: 48 administrative, 11 physical, 47 technical, and 11 protective measures for government agencies. The counts applied per type are also the same: IaaS 116, DaaS 110, SaaS Standard 79, SaaS Simplified 31, Low-grade IaaS 64, Low-grade SaaS 30.

Three things changed.

Each control got an assessment purpose. For example, 1.2.1 Organization Structure now carries the purpose "ensure that information protection activities are planned, executed, and monitored based on a clear responsibility and role structure so that continuous improvement is possible." Whether a CISO appointment document alone is enough, or whether they need to see traces of the organization actually operating, comes down to that one line.

The basis for the reference items changed to corresponding ISMS-P and ISO/IEC 27001·27017 items. For 1.1.3 Information Protection Policy Document Management, ISMS-P 2.1.1 Policy Maintenance and ISO/IEC 27017 5.37 are attached, for instance. For an organization that already holds ISMS-P, this mapping is effectively an evidence-reuse map. Note that while the announcement says the legal basis was removed, in practice it remains exactly where a legal obligation actually applies — like Cloud Computing Act Article 25, Network Act Articles 45-3 and 48-3, and Personal Information Protection Act Article 34.

Public-sector-specific requirements were consolidated into a single item 14: 4 administrative, 2 physical, 5 technical. On paper, it's now cleanly demarcated how far the public-sector add-on burden goes.

What Didn't Change

There are spots that are easy to misread, so I'm noting them.

The physical location of systems and personnel is still domestic-only. A private service dedicated to a single specific agency is not subject to certification. You can't be assessed during the development stage — construction has to be finished. You also can't change the type or grade of a certification you already hold. To move down from SaaS Standard to Simplified, you have to reapply. The high and medium grades haven't taken effect yet; only the low grade is in effect first.

CSAP still isn't a scoring system. Regardless of how many nonconformities there are, you have to remediate every one that's identified before a certificate is issued. From application intake to certificate, figure roughly 2.5 to 5 months.

One thing worth grabbing is the fee discount. If you already hold an information security management system certification whose scope covers the CSAP certification scope and remains validly maintained, you can apply to omit part of the certification assessment. In that case you get a 50% discount on the fee for the paper/on-site assessment areas. If you're already running ISMS, there's no reason not to take it.


Sources