ISMS certification to prevent carrier accidents

According to the "ISMS-P Certification System Guide" published by the Ministry of Science and ICT, the Personal Information Protection Committee, and the Korea Internet & Security Agency (KISA) on the 12th, ISMS-P certification includes information protection management system certification (ISMS, under the jurisdiction of the Ministry of Science and ICT) and information protection management system certification (ISMS-P, under the jurisdiction of the Personal Information Committee).

The ISMS-P certification system refers to the KISA or certification body proving that a set of measures and activities for information protection and personal information protection of companies applying for certification meet certification standards.

According to the detailed inspection items of certification standards, "accident prevention and response" items were included. It is evaluated whether it prevents infringement accidents and personal information leakage, responds quickly to accidents, complies with legal notification and reporting obligations when recognizing signs or occurrences of infringement accidents and personal information leakage, and implements information subject (user) notification and related agency reporting procedures in accordance with relevant laws and regulations in the event of a personal information infringement accident.

SK Telecom acquired ISMS and ISMS-P at the same time, and has been certified for information protection and personal information protection activities. However, as the USIM information of 27 million subscribers was hacked, there was a claim that certification would be useless.

The same applies to other telecom service providers. LG Uplus failed to prevent the leakage of personal information of 300,000 customers in 2023 even after acquiring ISMS and ISMS-P in 2022. KT also received ISMS certification, but was criticized for failing to prevent the leakage of personal information of 12 million customers in 2014.

Not only telecommunications companies but also Yes24, an online bookstore used by 20 million people, recently acquired ISMS-P in 2023, but was recently hacked.

This is why the movement to improve the ISMS-P certification system, centered on the National Assembly, is gaining strength.

Kim Sang-hoon, a lawmaker of the People's Power Party, proposed on June 11 a revision to the Information and Communication Network Act that would enhance the effectiveness of the information protection certification system. The revision would allow stricter certification standards to be applied to high-risk industries related to security, such as mobile carriers, and to revoke certification in case of serious violations of information protection-related laws.

The National Assembly's legislative investigation office also said that the ISMS-P certification system is not being operated formally, and that the overall certification system should be improved and the management and supervision system for certification should be strengthened so that it can be an effective countermeasure against security threats by actual mobile carriers.

An industry official said, "Once it was certified, it was never renewed and canceled without any problem," adding, "The ISMS-P certification system itself needs to be improved."

fun3503@chosunbiz.com