Korea's ISMS-P Certification Is Getting a Complete Overhaul

On March 12, Korea's Ministry of Science and ICT (MSIT) and the Personal Information Protection Commission (PIPC) held a joint field consultation on strengthening ISMS-P certification. They were joined by KISA (Korea Internet & Security Agency), the Financial Security Institute, certification bodies, and auditors.

The bottom line: the era of passing ISMS-P with paper evidence and a single-point-in-time snapshot audit is ending.

The trigger is obvious — certified companies keep getting breached. PIPC Chair Song Kyunghee said the goal is to build a structure where protection measures are maintained continuously, not just validated at audit time. MSIT Vice Minister Ryu Jemyung compared the current system to a health checkup that misses real illness, acknowledging that the system hasn't kept pace with evolving threats.

What's Changing

The government outlined four reform directions.

1. Three-Tier Certification: Basic, Standard, Enhanced

Until now, every company was audited against the same criteria regardless of size or risk. Going forward, certification will be split into three tiers based on risk level: Basic (간편), Standard (표준), and Enhanced (강화).

Telecoms, large platforms, and other high-risk operators will face Enhanced certification with stricter requirements. KISA's Digital Security Certification Division head Kim Sunmi said the Enhanced tier will be developed using major threat case studies and international security requirements as references.

One particularly significant change: externally exposed internet-connected assets must be included in the certification scope. Companies will no longer be able to exclude servers or cloud assets from the audit perimeter. For anyone who's been through an ISMS-P scoping exercise, this is a big deal — scope manipulation has been a persistent issue.

2. New Preliminary Audit + Field Verification

Current ISMS-P audits are essentially snapshots — auditors review documentation at a specific point in time, check a sample, and move on.

The new system introduces two major changes.

Preliminary audit: Before the main audit, core control items (password encryption, latest patch status, etc.) will be verified first. If these aren't met, the main audit doesn't proceed at all. For initial certification, the application is rejected. For surveillance audits, certification can be revoked.

Field verification: Instead of reviewing documents, auditors will directly test live systems. Vulnerability scanners, source code analysis, and penetration testing will become part of the audit process. Audit teams will be expanded with technical specialists, and audit durations will be significantly increased.

This is the most impactful change for practitioners. The standard shifts from "show me the document" to "show me it works."

3. Post-Certification Enforcement — Breach Means Possible Revocation

Certification will no longer be a "get it and forget it" exercise.

For companies that experience a breach, surveillance audit teams and durations will be doubled to intensively examine root causes and remediation measures. If critical deficiencies are found, certification can be revoked.

This means certification maintenance becomes a continuous obligation. The old rhythm of three-year renewal cycles is being replaced by a regime where a breach at any point could trigger revocation.

4. Certification Body Oversight and Auditor Expertise

Audit quality management is also being tightened. Legal grounds are being established for suspending or revoking certification body designations when audit quality falls short. Sector-specific certification committees will be formed, and auditor training will be expanded to cover AI and other emerging technologies.

Connection to the Amended PIPA

This reform doesn't exist in isolation. It directly connects to the mandatory ISMS-P certification provision in the amended Personal Information Protection Act (Art. 32-2(1) proviso, effective July 1, 2027).

The specific criteria for mandatory certification are delegated to presidential decree and haven't been finalized yet. But based on the consultation, targets will likely be defined by revenue and data processing scale — public system operators, telecoms, and major platform companies are expected to be the primary targets.

With mandatory certification taking effect in July 2027 and the audit methodology shifting to field verification before then, organizations that haven't started preparing are already behind.

What to Do Now

The detailed standards haven't been finalized — the formal "ISMS-P Certification Effectiveness Enhancement Plan" is expected to be published soon. But the direction is clear enough to act on.

Re-examine your certification scope. If externally exposed assets — cloud services, SaaS integrations, API endpoints — are excluded from your current scope, they need to be included. Start the scoping exercise now.

Build continuous technical verification. Vulnerability scanning, source code analysis, and penetration testing need to shift from one-time pre-audit exercises to standing operational processes. Point-in-time testing won't survive field verification audits.

Prepare for preliminary audits. Core controls like password encryption and patch management need to be continuously compliant, not just compliant on audit day. Build internal self-assessment processes that run year-round.

Stress-test your incident response. With post-breach certification revocation now possible, your incident response → root cause analysis → remediation pipeline needs to actually work, not just exist on paper.

The government plans to publish the formal enhancement plan incorporating feedback from this consultation. Will cover it separately when released.

Sources