Comparison with ISMS-P
30.3.1. ISMS-P Overview
ISMS-P (Information Security and Personal Information Protection Management System Certification) is a statutory certification system unique to the Republic of Korea. It is jointly announced by the Ministry of Science and ICT and the Personal Information Protection Commission, with the Korea Internet & Security Agency (KISA) responsible for certification operations.
ISMS-P was launched in 2018 by integrating the former ISMS (Information Security Management System Certification) and PIMS (Personal Information Management System Certification). The purpose of this integration was to enhance certification efficiency and reduce the burden of redundant audits by consolidating information protection and personal information protection into a single management system.
ISMS-P allows organizations to obtain certification for the information protection management system (ISMS) portion alone, or to obtain the full ISMS-P certification including personal information protection. Organizations that do not process personal information may find ISMS certification alone sufficient, while organizations that process personal information should obtain the full ISMS-P certification.
Within South Korea's information protection certification framework, ISMS-P is recognized as the most comprehensive and authoritative certification. In particular, companies above a certain size are subject to a legal obligation to obtain it, making it not merely a choice but a legal requirement.
30.3.2. Certification Criteria
The ISMS-P certification criteria consist of 3 domains with a total of 101 control items.
30.3.2.1. Domain Composition
| Domain | Number of Controls | Description |
|---|---|---|
| Management System Establishment and Operation | 16 | Requirements for establishing, operating, and improving the information protection and personal information protection management system |
| Protective Measures Requirements | 64 | Administrative, technical, and physical protective measures for information protection |
| Personal Information Processing Stage Requirements | 21 | Requirements covering the entire lifecycle of personal information including collection, use, provision, and destruction |
30.3.2.2. Management System Establishment and Operation (16 Items)
The management system establishment and operation domain consists of the following sub-areas.
| Sub-area | Item Count | Key Content |
|---|---|---|
| Management System Foundation | 4 | Executive participation, chief officer designation, organizational composition, scope setting |
| Risk Management | 3 | Information asset identification, status/flow analysis, risk assessment and treatment |
| Management System Operation | 3 | Protective measure implementation, protective measure sharing, operational status management |
| Management System Review and Improvement | 3 | Legal requirement compliance review, management system review, management system improvement |
| Management System Establishment | 3 | Information protection policy establishment, implementation documents, resource allocation |
30.3.2.3. Protective Measures Requirements (64 Items)
The protective measures requirements define specific protective actions that the organization must implement.
| Sub-area | Item Count | Key Content |
|---|---|---|
| Policy, Organization, and Asset Management | 3 | Information protection policy, organization, asset classification and management |
| Personnel Security | 6 | Responsibility assignment, security training, resignation/role change management, security pledges |
| External Party Security | 4 | External party security policy, contracts, status management, security compliance management |
| Physical Security | 7 | Protected zones, access control, information system protection, auxiliary storage media |
| Authentication and Authorization Management | 6 | User registration/deregistration, access rights management, privileged access, access rights review |
| Access Control | 7 | Network access, information system access, application access, database access |
| Encryption Application | 2 | Encryption policy establishment, encryption key management |
| Information System Acquisition and Development Security | 6 | Security requirements definition, security requirements review, test and production environment separation |
| System and Service Operations Management | 7 | Change management, performance/fault management, backup management, log management |
| System and Service Security Management | 5 | Security system operation, cloud security, public server security |
| Incident Prevention and Response | 5 | Incident prevention, vulnerability assessment, incident response training, incident response/recovery |
| Disaster Recovery | 6 | Disaster recovery planning, IT disaster recovery, disaster recovery testing |
30.3.2.4. Personal Information Processing Stage Requirements (21 Items)
These are requirements covering the entire lifecycle of personal information.
| Stage | Item Count | Key Content |
|---|---|---|
| Personal Information Collection | 7 | Collection purpose, minimum collection, unique identifier processing, sensitive information processing, consent acquisition |
| Personal Information Retention and Use | 4 | Restriction on use beyond purpose, additional use/provision, usage history notification |
| Personal Information Provision | 2 | Provision to third parties, overseas transfer of personal information |
| Personal Information Destruction | 4 | Retention period compliance, destruction procedures, irrecoverable destruction |
| Data Subject Rights Protection | 4 | Access request, correction/deletion request, processing suspension request, automated decision refusal |
30.3.3. Legal Obligation
ISMS-P (or ISMS) certification is legally mandatory for organizations meeting certain conditions.
30.3.3.1. Mandatory Certification Targets
The mandatory certification targets under Article 47 of the Act on Promotion of Information and Communications Network Utilization and Information Protection, Etc. and its enforcement decree are as follows.
| Target | Criteria |
|---|---|
| ISP (Internet Service Provider) | Entities registered under the Telecommunications Business Act that provide information and communications network services in Seoul and all metropolitan cities |
| IDC (Internet Data Center) | Entities that operate/manage concentrated information and communications facilities for the provision of third-party information and communications services |
| Businesses above a certain size | Entities with annual revenue or income of 150 billion KRW or more in the previous year, or with an average daily user count of 1 million or more during the 3 months preceding the previous year |
| Tertiary and general hospitals | Tertiary and general hospitals above a certain size as defined by the Medical Service Act |
30.3.3.2. Penalties for Non-compliance
If an organization subject to mandatory certification fails to obtain it, the following penalties may be imposed.
- Administrative fine: up to 30 million KRW
- Penalty surcharge: up to 3% of revenue (in the event of a personal information breach)
- Administrative action: corrective orders, penalty surcharge imposition
The legally mandatory nature of ISMS-P is an important differentiator in comparison with TQS. TQS is an internal self-certification with no legal obligation and cannot replace ISMS-P.
30.3.4. Comparative Analysis with TQS
The following table summarizes the comparison between ISMS-P and TQS along key comparison axes.
| Comparison Axis | ISMS-P | TQS |
|---|---|---|
| Certification Purpose | Verification of information protection and personal information protection management system establishment | Code-level technical quality verification |
| Verification Level | Management system/process level | Code/configuration/build level |
| Verification Target | The organization's overall information protection management system | Project source code, CI/CD, build configurations |
| Legal Status | Statutory mandatory certification (above a certain size) | Internal self-certification (no legal obligation) |
| Number of Controls | 101 (Management 16 + Protective Measures 64 + Personal Information 21) | Approximately 80 checklist items (code level) |
| Audit Method | Document audit + on-site audit (KISA certification auditors) | Automated verification + code review (Technical Standards Committee) |
| Access Control Verification | "Has an access control policy been established?" | "Is Spring Security RBAC implemented?" |
| Encryption Verification | "Has an encryption policy been established?" | "Are BCrypt hashing and AES-256 encryption applied?" |
| Personal Information Verification | "Has a privacy policy been published?" | "Are input validation (Bean Validation) and SQL injection prevention implemented?" |
| Change Management Verification | "Has a change management process been documented?" | "Is Git Flow applied and are PR reviews being performed?" |
| Certification Cost | Tens of millions of KRW (audit fees + consulting fees) | Free (internal self-certification) |
| Renewal Cycle | 3 years (annual surveillance audit) | Per major version (continuous CI verification) |
| Certification Body | KISA (Korea Internet & Security Agency) | TIENIPIA Technical Standards Committee |
30.3.4.1. Fundamental Difference
The most fundamental difference between ISMS-P and TQS lies in the verification layer.
ISMS-P verifies whether an organization has established and is operating a management system for information protection and personal information protection. It focuses on administrative aspects such as policy documents, organizational structure, risk assessment results, and incident response procedures. It answers questions such as "Has a secure development process been defined?" and "Is security training being conducted for developers?"
TQS verifies whether those policies are actually reflected in the code. It answers code-level questions such as "Are SQL parameter bindings being used?", "Is v-html not used or is DOMPurify applied?", and "Is CSRF protection enabled in Spring Security configuration?"
30.3.4.2. Difference in Legal Obligation
ISMS-P is a legally mandatory certification. Companies above a certain size must obtain it, and administrative fines and penalty surcharges are imposed for non-compliance. TQS cannot replace this legal obligation and does not aim to do so.
Therefore, companies subject to mandatory ISMS-P certification must obtain ISMS-P certification, and TQS is a supplementary certification applied in addition to it.
30.3.5. Combination Strategy in the Domestic Environment
In South Korea's regulatory environment, applying ISMS-P and TQS together is the most effective strategy.
30.3.5.1. Two-Layer Certification Strategy
| Layer | Responsible Certification | Role | Nature |
|---|---|---|---|
| Management System Layer | ISMS-P | Establishment and operation of information protection/personal information protection management system | Legal obligation (when applicable) |
| Implementation Layer | TQS | Code-level verification of protective measure implementation defined in the management system | Voluntary quality certification |
30.3.5.2. ISMS-P Control Mapping with TQS
Among the ISMS-P protective measures requirements, items corresponding to technical protective measures are directly linked to the TQS checklist.
| ISMS-P Control Item | ISMS-P Verification Content | TQS Verification Content |
|---|---|---|
| Authentication and Authorization Management | Access rights policy establishment, privileged access management procedures | Spring Security RBAC implementation, authorization check code |
| Access Control | Network/system/DB access control policies | SecurityFilterChain configuration, CORS configuration |
| Encryption Application | Encryption policy establishment, encryption key management procedures | BCrypt hashing, TLS configuration, AES-256 implementation code |
| Security Requirements Definition | Procedures for incorporating security requirements during development | Input validation (Bean Validation), XSS prevention (v-html not used) |
| Test and Production Environment Separation | Development/test/production environment separation policy | Spring profile separation (local/dev/staging/prod) |
| Change Management | Change management process documentation | GitHub Flow application, PR review execution, CI/CD pipeline |
| Log Management | Log collection/retention policy | SLF4J logging application, System.out not used |
30.3.5.3. Expected Benefits of Combined Application
Applying ISMS-P and TQS together yields the following benefits.
- Policy-Implementation Consistency: TQS objectively proves that protective measures established under ISMS-P are actually implemented in the code.
- Strengthened Audit Readiness: TQS certification results and CI/CD reports can be used as evidence of technical protective measure implementation during ISMS-P surveillance audits.
- Continuous Monitoring: Even between ISMS-P surveillance audits (annual), TQS's CI/CD automated verification continuously confirms protective measure compliance status.
- Improved Developer Security Awareness: Through the TQS checklist, developers gain a concrete understanding of how to technically implement ISMS-P protective measures.
- Reduced Regulatory Compliance Costs: By detecting security issues early in the development stage and fixing them, audit findings are reduced and remediation costs are lowered.
30.3.5.4. Application Priority
Companies subject to mandatory ISMS-P certification should apply in the following order.
- Obtain ISMS-P certification (fulfill legal obligation)
- Map TQS checklist to ISMS-P protective measures
- Integrate TQS automated verification into the CI/CD pipeline
- Obtain TQS certification (code-level quality assurance)
- Use TQS results as supplementary evidence during ISMS-P surveillance audits
Even for companies not subject to mandatory ISMS-P certification, applying the ISMS-P + TQS combination is recommended if they process personal information or operate services where security is critical. ISMS-P handles security at the management system level and TQS handles security at the code level, ensuring security from both directions.