Open DDTFCH opened 1 month ago
Hello @DDTFCH Thank you for the suggestion. The team will look into and get back to you probably with some questions. Given it's a law, we should not have any issue about copyrights. I get the compliance of external providers operating there, do you know if other entities are using it in Korean or English? Regards
Could you add support to ISMS-P framework from Korean ISA (KISA) ?
KISA : K-ISMS / ISMS-P
Reference Law: https://elaw.klri.re.kr/eng_service/lawView.do?hseq=38422&lang=ENG Article 47
Certification Authority: https://www.kisa.or.kr/EN Laws https://www.kisa.or.kr/EN/301#fnPostAttachDownload Framework guidelines https://www.kisa.or.kr/EN/303/form?postSeq=1&page=1#fnPostAttachDownload
Cloud providers compliance: https://cloud.google.com/security/compliance/k-isms?hl=fr https://aws.amazon.com/fr/compliance/services-in-scope/K-ISMS/ https://learn.microsoft.com/en-us/azure/compliance/offerings/offering-korea-k-isms https://www.alibabacloud.com/blog/alibaba-cloud-attains-korea-information-security-management-system-k-isms-certification_600649 Other providers page: https://cpl.thalesgroup.com/compliance/apac/korea-personal-information-information-security-management-system-compliance
Certification criteria ISMS certification consists of management framework setup & compliance (16 items) and protection plan requirements (64 items). The ISMS-P certification criteria are composed of the ISMS certification criteria (80 items) and the identifiable personally information (PII) requirements (22 items).
According to Article 47 (2) of the「Act on Promotion of Information and Communications Network Utilization and Information Protection, etc.」, the obligated organization must obtain ISMS or ISMS-P certification. A fine is imposed when there is a violation of the regulation. ISMS-P certification is for those who need both flow of personal information and the cybersecurity certificate. On the other hand, ISMS is for those who need only the cybersecurity certificate. Once the subjects select the type of certificate, they need to consult with KISA or other authorities for the scope of the process. The auditor from the certificate authority should visit the organization for written and on-site examinations. The auditee organization should rectify the identified deficiencies for issuing the certificate.