🇰🇷

Information Security Management System with Personal Information Protection (Korea)

Korea's combined information security + privacy certification managed by KISA (Korea Internet & Security Agency). Mandatory for many Korean industries; voluntary for others. Penalty: up to 3% of annual revenue (proposed amendments to 10% to align with GDPR).

1 critical10 high10 medium1 low

ISMS-1.1ISMSP-001medium

Management System Establishment

Establish ISMS scope, policy, and management commitment.

ISMS-1.2ISMSP-002high

Risk Assessment

Conduct risk assessment + maintain treatment plan.

ISMS-2.1ISMSP-003medium

Security Policy

Information security policy documented + maintained.

ISMS-2.5ISMSP-004critical

Access Control

Access control policies + procedures implemented across all systems.

ISMS-2.6ISMSP-005high

Cryptography

Cryptographic controls applied appropriately to data at rest + in transit.

ISMS-2.8ISMSP-006medium

Operations Security

Operational procedures documented + maintained.

ISMS-2.9ISMSP-007high

Communications Security

Network security + secure information transfer.

ISMS-2.10ISMSP-008medium

System Development Security

Security requirements integrated into SDLC.

ISMS-2.11ISMSP-009medium

Supplier Relationships

Information security measures with suppliers documented + monitored.

ISMS-2.12ISMSP-010high

Incident Management

Information security incident management process.

ISMS-2.13ISMSP-011high

Business Continuity

Business continuity management for ePersonal Information processing systems.

ISMS-P.1ISMSP-012high

Privacy Policy

Personal information protection policy established + published.

ISMS-P.2ISMSP-013high

Consent Management

Consent obtained with proper notice + recorded with audit trail.

ISMS-P.3ISMSP-014medium

Data Lifecycle

Personal data collected, used, and destroyed per policy.

ISMS-P.4ISMSP-015high

Cross-Border Transfer

Overseas data transfer with adequate safeguards + explicit consent.

ISMS-P.5ISMSP-016high

Data Subject Rights

Data subject access, correction, deletion rights honored within statutory timeline.

ISMS-P.6ISMSP-017medium

Pseudonymization

Apply pseudonymization to analytics + research datasets.

ISMS-P.7ISMSP-018low

Penalty Awareness

Awareness of PIPA penalty structure (up to 3% revenue, proposed up to 10%).

ISMS-2.2ISMSP-019medium

Organization

Information security organization established with defined roles.

ISMS-2.3ISMSP-020medium

Human Resources

Personnel security measures: background checks, confidentiality, training.

ISMS-2.4ISMSP-021high

Asset Management

Information assets identified, classified, and protected.

ISMS-2.7ISMSP-022medium

Physical Security

Physical and environmental security controls.