I'm Taking the ISMS-P Auditor Exam This Year
I'm Taking the ISMS-P Auditor Exam This Year
I'm planning to sit for the ISMS-P auditor qualification exam this year. I want to document the process on my blog as I prepare, and this post is the starting point.
The ISMS-P auditor exam is only held once a year. I've read through a lot of reviews from past test-takers, and passing is really not easy. Two or three attempts is the norm, and it's not uncommon to see people on their fourth or fifth try. The scope covers certification standards, information security technology, and personal data protection laws — it's broad. On top of that, a lot of questions require you to identify root causes from audit deficiency scenarios, so pure memorization only gets you so far.
To make things harder, the qualification system itself changed this year. Korea Internet & Security Agency (KISA) announced the changes in December 2025, and the key point is this: previously, anyone who scored 60 or above on the written exam passed. Starting this year, only the top 100 scorers among those who clear the 60-point threshold will pass. It went from absolute grading to relative grading. The number of applicants allowed through the document screening stage is also now capped at 2,000 on a first-come-first-served basis.
Before, you just needed to beat the 60-point bar — it was a fight against yourself. Now you have to outscore other test-takers. The difficulty jumped significantly. Around the same time, the Ministry of Science and ICT (MSIT) and the Personal Information Protection Commission (PIPC) also announced a comprehensive overhaul of the ISMS-P certification system. With a string of major data breaches at companies like telecom providers and Coupang, the push is to strengthen the credibility of the certification process. Raising the bar for auditor qualifications seems to be part of that trend.
I Decided to Take Risium's Online Course
Given all this, I figured trying to pass within a year through self-study alone would be reckless. 100 out of 2,000 applicants means a 5% pass rate on the written exam. So I decided to enroll in Risium's (라이지움) course. Paid for it out of my own pocket.
I won't lie — the price tag gave me pause. But this exam only comes around once a year, and with the pass rate that low, doing one more thing to tip the odds felt worth it. Rather than dragging it out for two or three years self-studying, investing to get it done in one year seemed like the better call.
I actually wanted to take the in-person classes. But realistically, it's not feasible. I've got business trips scheduled outside Seoul, and even when I'm working on projects in Seoul, my schedule revolves around the client's. If you've ever worked as a consultant, you know — your schedule is not your own. So I went with the online course.
Why I'm Taking This Exam
One thing I want to clarify upfront: the goal isn't to become an active auditor. I've heard from people around me that conducting audits while working a full-time job is extremely difficult in practice. Audits get scheduled on weekdays for several days at a stretch, so juggling that with your main job is tough.
Right now, I enjoy doing ISMS-P audit response consulting, and I plan to keep doing it for the foreseeable future. My reasons for taking the exam are different. I want to increase the value of my career and build a foundation for additional income streams. Having the auditor qualification would deepen my consulting expertise, and it opens up more options down the road.
I'm planning to post updates here and there as I prepare. Study notes, thoughts along the way — that kind of thing. And I really hope I get to write that "I passed the written exam" post.