SERVICES

COMPLIANCE SERVICES

Compliance service from SAK. 

K-ISMS Certification Consulting Services

K-ISMS Certification Consulting Services


We provide the following consulting services to companies seeking ISMS certification.

1) Before applying for ISMS certification audit, we provide advice necessary for companies to satisfy ISMS certification requirements (80 items in 12 fields). In this process, if gaps are identified in security controls such as corporate risk assessment, vulnerability inspection, and legal compliance, we can provide additional advice to the corporation to improve the gap.

2) We provide documentation** and advice necessary for companies to apply for ISMS certification to an audit agency*. In this process, we can provide additional necessary advice to the company if request for evidence, demonstration, on-site observation, etc. from the audit agency are expected.

  *Audit organization: Korea Information and Communications Promotion Association (KAIT), Korea Information and Communications Technology Association (TTA), Personal Information Protection Association (OPA), Next Generation Information Security Certification Agency (NISC)

   **Documentation: Application letter, Certification application, Statement of Scope (SOS), Statement of Applicability (SOA)

3) We provide advice necessary for companies to prepare for and respond to pre-audits and on-site audits by audit agencies.

4) We provide advice necessary to improve corporate audit results, that is, findings.

5) We provide advice necessary for companies to prepare for and respond to follow-up checks by audit agencies. When a company obtains ISMS certification for the first time or renews ISMS certification, and when there are requirements from ISMS certification bodies* and certification committees, we provide necessary advice to companies.

     *Certification Authority: Korea Internet & Security Agency (KISA), Financial Security Institute (FSI)


The consulting period may take 3 to 10 months depending on the scope of ISMS certification of the company and the scope of consulting contracted with the company. The consulting process is as follows.

1) Basic consultation according to company inquiries.
During the consultation process, we check whether there are minimum corporate security controls and security organizations necessary to prepare for the company's ISMS certification. Depending on the result, consulting may be withheld.

2) Provision of quotation and standard contract (SOW) considering the scope of consulting work and execution period.  
If an overseas travel audit is included, all expenses required for the consultant's overseas travel may be included in the estimate. In addition, if we are required to pay the company's certification fee, that budget may be included in the estimate.

3) Contract signing

4) Consulting

5) Termination of contract

 

The following are the grounds for ISMS certification.

Act On Promotion of Information and Communications Network Utilization and Information Protection Article 47 (Certification of Information Security Management Systems)  
(1)With respect to a person who establishes and operates a comprehensive management system, including administrative, technical, and physical protective measures, for ensuring stability and reliability of an information and communications network (hereinafter referred to as "information security management system"), the Minister of Science and ICT may certify as to whether such person meets the standards under paragraph (4). <Amended on Feb. 17, 2012; Mar. 23, 2013; Dec. 1, 2015; Jul. 26, 2017>
(2)A telecommunication business entity under subparagraph 8 of Article 2 of the Telecommunications Business Act, or any of the following persons who provides or intermediates the provision of information by using telecommunications services of any telecommunication business entity, shall receive the certification under paragraph (1): <Newly Inserted on Feb. 17, 2012; Dec. 1, 2015; Dec. 24, 2018; Jun. 9, 2020>
1.A person who renders information and communications services, as prescribed by Presidential Decree, as a person registered pursuant to Article 6 (1) of the Telecommunications Business Act (hereinafter referred to as a "major provider of information and communications services");
2.A data center operator;
3.A person meeting the standards prescribed by Presidential Decree, whose annual sales, tax revenue, or any similar is at least 150 billion won, whose sales of the sector of information and communications services of the previous year is at least 10 billion won, or whose average number of daily users over the past three months is at least one million.
(3)Where a person required to be certified in accordance with paragraph (2) is certified for conformity with international standards for information protection or takes measures for information protection, as prescribed by Ordinance of the Ministry of Science and ICT, the Minister of Science and ICT may omit part of certification examination under paragraph (1). In such cases, the detailed scope of omitted certification examination shall be determined and publicly notified by the Minister of Science and ICT. <Newly Inserted on Dec. 1, 2015; Jul. 26, 2017>
(4)For the purpose of certification of an information security management system under paragraph (1), the Minister of Science and ICT may determine and give public notice of other necessary matters, such as certification standards specifying countermeasures for administrative, technical, and physical protection. <Amended on Feb. 17, 2012; Mar. 23. 2013; Dec. 1, 2015; Jul. 26, 2017>
(5)The period of validity of the certification of an information security management system under paragraph (1) shall be three years: Provided, That upon receipt of any rating for information security management in accordance with Article 47-5 (1), the certification under paragraph (1) shall be deemed effective during the period of validity of such rating. <Newly Inserted on Feb. 17, 2012; Dec. 1, 2015>
(6)The Minister of Science and ICT may have the Korea Internet and Security Agency or any institution designated by the Minister of Science and ICT (hereinafter referred to as “certification body for information security management systems”) perform the following affairs related to the certification under paragraphs (1) and (2): <Newly Inserted on Feb. 17, 2012; Mar. 23. 2013; Dec. 1, 2015; Jul. 26, 2017>
1.Examination to verify whether the information security management system established by an applicant for certification meets the certification standards under paragraph (4) (hereinafter referred to as “examination for certification”);
2.Review on the results of examination for certification;
3.Issuance and management of written certifications;
4.Ex post facto management of granted certifications;
5.Fosterage and qualification management of the certification examiners of information security management systems;
6.Other affairs regarding the certification of information security management systems.
(7)If necessary for the efficient conduct of affairs related to certification, the Minister of Science and ICT may designate an institution that performs affairs related to examination for certification (hereinafter referred to as “examination institution for information security management systems”). <Newly Inserted on Dec. 1, 2015; Jul. 26, 2017>
(8)The Korea Internet and Security Agency, a certification body for information security management systems, and an examination institution for information security management systems shall, in order to enhance the efficiency of information security management systems, perform ex post facto management at least once a year and notify the Minister of Science and ICT of the results thereof. <Newly Inserted on Feb. 17, 2012; Mar. 23. 2013; Dec. 1, 2015; Jul. 26, 2017>
(9)A person who has received the certification of an information security management system in accordance with paragraphs (1) and (2) may indicate or publicize the content of the certification, as prescribed by Presidential Decree. <Amended on Feb. 17, 2012; Dec. 1, 2015>
(10)The Minister of Science and ICT may revoke the certification where any of the following grounds is found: Provided, That in cases falling under subparagraph 1, the Minister of Science and ICT shall revoke the certification: <Newly Inserted on Feb. 17, 2012; Mar. 23. 2013; Dec. 1, 2015; Jul. 26, 2017>
1.Having received the certification of an information security management system by fraud or other improper means;
2.Falling short of the certification standards under paragraph (4);
3.Refusing or obstructing the ex post facto management under paragraph (8).
(11)Methods and procedures for, and scope and fees of, certification under paragraphs (1) and (2), methods and procedures for ex post facto management under paragraph (8), methods and procedures for revoking certification under paragraph (10), and other necessary matters shall be prescribed by Presidential Decree. <Amended on Feb. 17, 2012; Dec. 1, 2015>
(12)Standards and procedures for, and period of validity of, the designation of a certification body for information security management systems and an examination institution for information security management systems, and other necessary matters shall be prescribed by Presidential Decree. <Amended on Feb. 17, 2012; Dec. 1, 2015>
[This Article Wholly Amended on Jun.13, 2008]









© 2023 Security Awareness Korea, Inc. All Rights Reserved