External Certification Comparison Overview
30.1.1. Purpose of Comparison
TQS is a proprietary certification standard defined internally by TIENIPIA that directly verifies software quality at the code level. However, in addition to TQS, various certification frameworks exist for software quality and security, including international standards and domestic statutory certifications.
This chapter systematically compares TQS with major external certifications to achieve the following objectives.
- Positioning Clarification: Defines how TQS differs from existing certifications and which domains it complements.
- Complementary Relationship Identification: TQS does not replace existing certifications; rather, it covers code-level verification that existing certifications do not address. This section presents combination strategies with each certification.
- Decision Support for Adoption: Provides the basis for project teams to determine how to combine TQS with external certifications according to business requirements.
Existing certifications verify "what must be done" at the policy and process level. TQS verifies "how it was actually implemented" at the code, configuration, and build pipeline level. This fundamental difference is the core positioning of TQS.
30.1.2. Selection Criteria for Comparison Targets
The certifications selected for comparison were chosen based on the following criteria.
| Selection Criteria | Description |
|---|---|
| Software Relevance | Certifications directly related to software development, operations, and security are prioritized. |
| Domestic and International Representativeness | Both internationally recognized certifications and domestic statutory certifications are included. |
| Practical Frequency | Certifications that domestic software companies frequently obtain or are required to obtain are selected. |
| Verification Domain Diversity | Covers different verification domains including security, quality, process maturity, and service operations control. |
The comparison targets selected based on these criteria are as follows.
| Certification | Reason for Selection |
|---|---|
| ISO 27001 | International standard in information security, the most widely recognized security certification domestically and internationally |
| ISMS-P | Domestic statutory certification in South Korea, integrated certification for information protection and personal information protection management system |
| ISO 9001 | International standard in quality management, a universal quality certification applicable to all industries |
| CMMI | Software process maturity assessment model, required for large-scale SI/public sector projects |
| SOC 2 | Service operations control certification for SaaS/cloud services, used to establish trust in the B2B market |
30.1.3. Comparison Framework
The following comparison axes are defined to compare each certification on a consistent basis.
| Comparison Axis | Description | Evaluation Criteria |
|---|---|---|
| Certification Purpose | The core objective that the certification aims to achieve | Whether it focuses on security / quality / process / code |
| Certification Scope | The unit to which the certification applies | Entire organization / department / service / project + version |
| Verification Level | The depth at which verification is performed | Policy level / process level / code level |
| Audit Method | The audit procedure for obtaining the certification | Document audit / on-site audit / automated verification / code review |
| Key Deliverables | Core documents and evidence required during the certification process | Policy documents / process documents / source code / build results |
| Certification Cost | The cost level required to obtain the certification | Free / low cost / medium cost / high cost |
| Renewal Cycle | Certification validity period and renewal method | Annual / 3 years / per version, etc. |
| Certification Body | The entity that grants the certification | International body / government agency / private organization / internal (self) |
| Legal Obligation | Whether acquisition is mandatory by law | Mandatory / voluntary |
| Time Required | The period from certification preparation to acquisition | Days / weeks / months |
30.1.4. Comprehensive Comparison Table
The following table provides a comprehensive summary comparing the target certifications with TQS according to the comparison framework.
| Comparison Axis | ISO 27001 | ISMS-P | ISO 9001 | CMMI | SOC 2 | TQS |
|---|---|---|---|---|---|---|
| Certification Purpose | Establishment and operation of an information security management system | Establishment of information protection and personal information protection management system | Establishment and continuous improvement of a quality management system | Improvement of software process maturity | Verification of internal controls of service organizations | Code-level technical quality verification |
| Certification Scope | Entire organization or specific scope (business unit) | Entire organization or specific service | Entire organization or business unit | Entire organization (process areas) | Service unit | Project + version unit |
| Verification Level | Policy/process level | Policy/process level | Process level | Process level | Operations control level | Code/configuration/build level |
| Audit Method | Document audit + on-site audit | Document audit + on-site audit | Document audit + on-site audit | Document audit + on-site assessment (SCAMPI) | Auditor examination + evidence verification | Automated verification + code review |
| Key Deliverables | Information security policy, risk assessment, Statement of Applicability (SoA) | Management system documents, risk assessment, privacy policy | Quality manual, process documents, internal audit records | Process definitions, measurement data, improvement plans | SOC 2 audit report (Type I/II) | Source code, CI/CD build results, coverage reports |
| Certification Cost | High cost (tens of millions of KRW+) | High cost (tens of millions of KRW+) | Medium cost (millions to tens of millions of KRW) | High cost (hundreds of millions of KRW) | High cost (tens to hundreds of millions of KRW) | Free (internal self-certification) |
| Renewal Cycle | 3 years (annual surveillance audit) | 3 years (annual surveillance audit) | 3 years (annual surveillance audit) | 3 years (re-assessment) | Annual (Type II basis) | Per major version (continuous CI verification) |
| Certification Body | Internationally accredited Certification Body (CB) | KISA (Korea Internet & Security Agency) | Internationally accredited Certification Body (CB) | ISACA (CMMI Institute) | AICPA-certified auditor (CPA firm) | TIENIPIA Technical Standards Committee (internal) |
| Legal Obligation | Voluntary (may be required by contract) | Mandatory (for companies above a certain size) | Voluntary | Voluntary (may be required for public bids) | Voluntary (may be required by B2B contracts) | Voluntary (internal policy) |
| Time Required | 6-12 months | 6-12 months | 3-6 months | 12-24 months | 3-12 months | 1-2 weeks |
| Automation Level | Low (manual audit-centric) | Low (manual audit-centric) | Low (manual audit-centric) | Low (manual assessment-centric) | Medium (partial monitoring automation) | High (CI/CD-based automated verification) |
| Feedback Cycle | Annual (surveillance audit) | Annual (surveillance audit) | Annual (surveillance audit) | 3 years (re-assessment) | Annual (Type II renewal) | Per commit (CI/CD integration) |
30.1.4.1. Interpreting the Comparison Table
The key differences to note from the comprehensive comparison table above are as follows.
Difference in Verification Level
All existing certifications perform verification at the policy, process, or operations control level. They answer questions such as "Has a security policy been established?" and "Has a change management process been defined?" However, they do not verify whether those policies have been implemented in the actual source code.
TQS directly inspects source code, build configurations, and CI/CD pipelines. It answers code-level questions such as "Are Spring Security settings correctly applied?", "Is test coverage above 80%?", and "Are SQL parameter bindings being used?"
Difference in Feedback Cycle
Existing certifications confirm compliance through audits at least once a year. During the period between audits, there is no way to verify compliance in real time.
TQS integrates verification tools into the CI/CD pipeline to automatically check standard compliance on every commit and every Pull Request. When issues arise, feedback is received immediately.
Difference in Cost Structure
Existing certifications require payment of audit fees to external certification bodies, along with consulting costs for certification preparation. Total costs range from tens of millions to hundreds of millions of KRW.
TQS is an internal self-certification, so no separate certification costs are incurred. The tools used for verification (ESLint, Spotless, JaCoCo, Lighthouse, etc.) are all open source, and only CI/CD infrastructure costs are required.
Difference in Certification Unit
Existing certifications are granted at the organization or service level. Once certification is obtained, it applies to all projects within that scope.
TQS is granted at the project and version level. Even within the same organization, each project must individually obtain TQS certification. This enables more granular quality verification.
30.1.4.2. Conclusion
TQS covers the "code-level verification" domain that existing certifications do not address. Rather than competing with existing certifications, it plays a complementary role by filling the gaps left by them. Organizations should combine appropriate external certifications with TQS according to their business requirements.
Detailed comparative analysis for each certification is covered in the following Sections 30.2 through 30.6, and Section 30.7 provides a comprehensive summary of TQS differentiation.