search

intuitem / ciso-assistant-community

CISO Assistant is a one-stop-shop for GRC, covering Risk, AppSec and Audit Management and supporting +46 frameworks worldwide: NIST CSF, ISO 27001, SOC2, CIS, PCI DSS, NIS2, CMMC, PSPF, GDPR, HIPAA, Essential Eight, NYDFS-500, DORA, NIST AI RMF, 800-53, 800-171, CyFun, CJIS, AirCyber and so much more
https://intuitem.com
GNU Affero General Public License v3.0
895 stars 90 forks source link

Support for KOREA ISA : ISMS-P #498

Open DDTFCH opened 1 month ago

DDTFCH commented 1 month ago

Could you add support to ISMS-P framework from Korean ISA (KISA) ?

KISA : K-ISMS / ISMS-P

Reference Law: https://elaw.klri.re.kr/eng_service/lawView.do?hseq=38422&lang=ENG Article 47

Certification Authority: https://www.kisa.or.kr/EN Laws https://www.kisa.or.kr/EN/301#fnPostAttachDownload Framework guidelines https://www.kisa.or.kr/EN/303/form?postSeq=1&page=1#fnPostAttachDownload

Cloud providers compliance: https://cloud.google.com/security/compliance/k-isms?hl=fr https://aws.amazon.com/fr/compliance/services-in-scope/K-ISMS/ https://learn.microsoft.com/en-us/azure/compliance/offerings/offering-korea-k-isms https://www.alibabacloud.com/blog/alibaba-cloud-attains-korea-information-security-management-system-k-isms-certification_600649 Other providers page: https://cpl.thalesgroup.com/compliance/apac/korea-personal-information-information-security-management-system-compliance

Certification criteria ISMS certification consists of management framework setup & compliance (16 items) and protection plan requirements (64 items). The ISMS-P certification criteria are composed of the ISMS certification criteria (80 items) and the identifiable personally information (PII) requirements (22 items).

According to Article 47 (2) of the「Act on Promotion of Information and Communications Network Utilization and Information Protection, etc.」, the obligated organization must obtain ISMS or ISMS-P certification. A fine is imposed when there is a violation of the regulation. ISMS-P certification is for those who need both flow of personal information and the cybersecurity certificate. On the other hand, ISMS is for those who need only the cybersecurity certificate. Once the subjects select the type of certificate, they need to consult with KISA or other authorities for the scope of the process. The auditor from the certificate authority should visit the organization for written and on-site examinations. The auditee organization should rectify the identified deficiencies for issuing the certificate.

ab-smith commented 4 weeks ago

Hello @DDTFCH Thank you for the suggestion. The team will look into and get back to you probably with some questions. Given it's a law, we should not have any issue about copyrights. I get the compliance of external providers operating there, do you know if other entities are using it in Korean or English? Regards