Korea's ISMS-P Reform Plan Is Now Official — Here's Everything That's Confirmed
Korea's ISMS-P Reform Plan Is Now Official — Here's Everything That's Confirmed
I covered the initial direction from the March consultation. On April 10, PIPC and MSIT formally announced the "Plan for Strengthening the Effectiveness of the ISMS/ISMS-P Certification System" at the Economic Ministers' Meeting. What was a set of policy directions is now a plan with concrete numbers and timelines.
The trigger: over the past three years, 179 certified companies (roughly 14%) experienced security breaches. The certification system has failed as a preventive measure, and the government is responding with a structural overhaul.
The confirmed plan has four pillars.
1. Expanded Mandatory Scope and Tiered Standards
ISMS-P Becomes Mandatory
ISMS-P certification, previously voluntary, will become mandatory for:
- Major public system operators
- Mobile telecom carriers
- Identity verification agencies
- Large-scale personal data processors (based on revenue and data volume)
When ISMS-P is mandatory, the administrative fine reduction benefit will not apply — mandatory compliance is expected, not rewarded.
Three-Tier Certification
The one-size-fits-all model is replaced by three tiers: Enhanced, Standard, and Lite.
| Tier | Description | Criteria Count |
|---|---|---|
| Enhanced (Advanced) | High-risk operators, elevated security | Standard criteria + 20 enhanced criteria (76 detailed checkpoints) |
| Standard | Core security principles | ISMS 80 / ISMS-P 101 |
| Lite | Reduced burden | ISMS 44 / ISMS-P 65 |
Enhanced certification targets include ISPs and IDCs with revenue over KRW 1 trillion and IT service providers with revenue over KRW 3 trillion.
Enhanced Certification Criteria — Examples
Specific examples of the 20 additional Enhanced criteria have been published:
- Executive designation: CISO and CPO must report directly to the CEO with actual security control authority
- Asset identification: Automated tools required for asset/component inventory and detection of unauthorized components
- Integrity verification: Tools to detect unauthorized changes to software and firmware
- Automated account management: Full lifecycle automation for system accounts with real-time status updates
- Strengthened authentication: Mandatory enhanced authentication for critical systems; adaptive authentication based on risk level
- Credential management: Systematic lifecycle management of access tokens, API keys, and other credentials
- Network access hardening: Minimize external connection points; physical or logical separation between exposed services and critical networks
Scope Expansion
All equipment and facilities related to certified services must be included without exception. Internet-facing digital assets must be included in the certification scope — the scope manipulation loophole is being closed, as previewed in March.
2. Strengthened Audit Methods
Audit Team Restructuring
Specific staffing and duration numbers are now confirmed.
| Type | Current | Standard (Improved) | Enhanced / Breach Companies |
|---|---|---|---|
| ISMS | 5 people, 5 days | 6 people, 5 days | 10 people, 10 days |
| ISMS-P | 5 people, 7 days | 6 people, 7 days | 10 people, 12 days |
Enhanced certification audits will include dedicated vulnerability assessment specialists from specialized firms. The number of assets subject to inspection increases from 10 to up to 500.
Revised Audit Procedure
| Phase | Current | Revised |
|---|---|---|
| Application | Operations statement | Operations statement + asset inventory and risk assessment |
| Preliminary audit | Team leader, 1 day | Core item pre-verification + technical audit (vulnerability assessment, pen testing) |
| Main audit | Document review, sampling (5 days) | Document review + field verification methods |
| Implementation audit | Team leader, 1 day | Team leader + additional staff based on deficiency level |
If core items fail the preliminary audit, the main audit is blocked entirely. Initial certification applications are rejected; for surveillance audits, failure to remediate leads to revocation.
Core Items (Draft)
- Whether CISO/CPO has actual authority over security policy
- Identification of personal data processing and internet-facing assets
- Password and encryption implementation on personal data processing systems
- Vulnerability and patch management
Technical Audit Procedure
Asset identification → Scope setting → Vulnerability assessment → Results review
Four types of vulnerability assessment will be conducted:
| Type | CVE | CCE | Source Code | Pen Testing |
|---|---|---|---|---|
| Scope | Asset identification, vulnerability scanning | Security configuration (accounts, permissions) | Software weakness analysis | Scenario-based intrusion testing |
| References | CVE, KrCERT, National Cyber Security Center | Critical infrastructure assessment, CIS Benchmarks | CWE, KISA Secure Coding Guide | MITRE ATT&CK |
Field Verification Examples
The plan includes specific examples of live verification methods:
- Asset identification (1.2.1): On-site inspection of asset management systems; network scanning tools if needed
- Offboarding management (2.2.5): Create test accounts, simulate termination, verify account/permission revocation procedures
- Anomaly monitoring (2.11.3): Inject anomaly scenarios, inspect server and security system logs on-site
- Incident response and recovery (2.11.5): Encrypt test files and perform live recovery demonstration
3. Strengthened Post-Certification Management
Continuous Monitoring
Post-certification, core items will be periodically verified. KISA will standardize and distribute inspection templates; these will be the focus of surveillance audits. This targets the practice of performing security management only around audit time.
When a Major Breach Occurs
- Certification audits and deliberations are suspended until government investigation and sanctions are complete (validity period conditionally extended)
- When audits resume, staffing and duration are doubled; root cause and remediation are the focus
- A standing breach history sharing system between government agencies and certification bodies will be established (managed by KISA)
Certification Revocation Criteria
No ISMS/ISMS-P certification has ever been revoked since the system launched. That changes now. Revocation triggers include:
| Ground | Examples |
|---|---|
| Refusal/obstruction of post-certification management | Abandoning post-management, not applying for surveillance audit, refusing to submit required documents |
| Failure to meet certification standards | Unresolved critical deficiencies (EoS not addressed, missing security patches, no log retention, etc.) |
| Serious legal violation | Severe violations of the Network Act or PIPA |
Critical deficiencies cannot be accepted through executive risk acceptance. If not remediated within 100 days, the case is escalated to the Certification Committee for revocation deliberation.
4. Certification Body and Auditor Expertise
- Trust surveys: Post-audit trust surveys of certification bodies; results affect next year's audit allocation
- Certification body oversight: Failure to meet designation standards triggers business suspension (3–6 months); three suspensions lead to designation revocation
- Specialization tracking: Auditor expertise in AI, cloud, etc. will be tracked and used for priority assignment
- Auditor compensation: Pay aligned to average software professional wages
- Technical audit guide: KISA to develop and distribute audit methodology guides reflecting current threats, ensuring audit consistency
Implementation Timeline
| Item | Timing | Legal Basis |
|---|---|---|
| Continuous monitoring, revocation, breach history management | H2 2026 ~ | Public notice, guidelines |
| Certification criteria guide revision | H2 2026 ~ | Guidelines |
| ISMS-P mandatory requirement | H2 2027 ~ | PIPA enforcement decree, public notice |
| Tiered certification, enhanced criteria, scope expansion | 2027 ~ | Network Act enforcement decree, public notice |
| Audit team restructuring, procedure changes | 2027 ~ | Enforcement decrees, public notice |
| All certification body/auditor items | 2027 ~ | Public notice, guidelines |
What Changed Since March
The direction is the same, but the confirmed details are new:
- Enhanced certification thresholds: Revenue over KRW 1 trillion for ISPs/IDCs, over KRW 3 trillion for IT service providers
- Lite tier introduced: ISMS 44 criteria, ISMS-P 65 criteria for reduced compliance burden
- Enhanced criteria: 20 new criteria (76 detailed checkpoints) with published examples
- Asset inspection count: From 10 to up to 500
- Revocation grounds and procedures: Critical deficiency criteria, 100-day remediation window
- Fee increases expected: Technical audit ratio for ISMS-P rising from 10% to 20%; auditor pay indexed to average SW professional wages
- Concrete implementation timeline: H2 2026 and 2027 milestones confirmed
Practical Takeaways
The action items from the March post remain valid, but with confirmed specifics, there's more to add.
- Check if you fall under Enhanced certification. The revenue thresholds are now defined. If you qualify, your preparation scope expands significantly.
- Prepare for technical audits. CVE, CCE, source code analysis, and penetration testing are now part of the audit. You need a standing technical verification capability, not annual one-offs.
- Maintain core items year-round. Failing the preliminary audit blocks the main audit entirely. CISO/CPO authority, asset identification, encryption, and patch management must be maintained continuously.
- Learn the critical deficiency criteria. These will be published in the certification criteria guide. When they drop, review them immediately and incorporate into your self-assessments.
- Budget for higher fees. Factor in the fee increases, especially for Enhanced certification: 10 auditors over 10–12 days is a different cost structure.
Continuous monitoring and certification revocation start in H2 2026. ISMS-P mandatory certification and tiered audits follow in 2027. That's roughly one year from now.
Sources
- PIPC & MSIT, "Plan for Strengthening the Effectiveness of the ISMS/ISMS-P Certification System" (2026.4.10)
- PIPC & MSIT, Press Release: "Government Overhauls Certification System to Prevent Data Breaches" (2026.4.10)