CSAP Certification Consulting Services
We provide the following consulting services to companies seeking CSAP certification.
1) We provide the necessary advice for companies to meet the CSAP certification requirements (14 areas, 64 items, and 100 details in the case of a "Low" level) before applying for a CSAP certification audit. In this process, if gaps are identified in security controls such as corporate risk assessment, vulnerability inspection, and legal compliance, we can provide additional advice to the companies to improve the gap.
2) We provide documentation** and advice necessary for companies to apply for CSAP certification to a certification body*.
*Certification body: Korea Internet & Security Agency (KISA)
**Documentation: Application letter, Certification application form, Asset list in the certification scope, Statement of Scope (SOS), Statement of Applicability (SOA), Vulnerability inspection and penetration test agreement
3) We provide advice necessary for companies to prepare for and respond to a pre-audit by an audit agency*.
*Audit agency: Korea Information and Communication Promotion Association (KAIT)
4) We provide advice necessary for companies to prepare for and respond to on-site audits, vulnerability inspections, and penetration tests by audit agencies. During this process, if request for evidence from audit agencies, demonstrations, on-site observations, etc. are expected, we can provide additional necessary advice to companies.
4) We provide advice necessary to improve audit results, that is, findings.
5) We provide advice necessary for companies to prepare for and respond to the verification of remediation measures (checking whether or not they are implemented) by the audit agency. When a company obtains CSAP certification for the first time (validity period of 5 years) or renews CSAP certification, and when there are requirements from CSAP certification bodies and certification committees, we provide necessary advice to companies.
The consulting period can range from 5 to 10 months depending on the scope of the company's CSAP certification (e.g. IaaS, SaaS / "Low" level) and the scope of consulting contracted with the company. The consulting process is as follows.
1) Provide basic consultation according to company inquiries.
During the consultation process, we check the minimum corporate security control and security organization necessary to prepare for the company's CSAP certification. Depending on the result, consulting may be withheld.
2) Provision of quotation and standard contract (SOW) considering the scope of consulting work and execution period.
If the company pays the auditor's certification fee on our behalf, the budget may be included in the estimate.
3) Contract signing
4) Consulting
5) Termination of contract
The following is the legal basis for CSAP certification.
Act on the Development of Cloud Computing and Protection of Its Users Article 20 (Facilitating Use of Cloud Computing Services by State Agency or Other Public Authority) | |
(1) | A State agency or other public authority shall endeavor to use cloud computing services provided by cloud computing service providers for performing their affairs. <Amended on Jan. 11, 2022> |
(2) | In using cloud computing services under paragraph (1), a State agency or other public authority shall preferentially consider cloud computing services that obtained security certification under Article 23-2 (1). <Newly Inserted on Jan. 11, 2022> |
(3) | The Minister of Science and ICT may select any of the following services (hereinafter referred to as "digital services") to enable a State agency or other public authority to use cloud computing services under paragraph (1) and may establish and operate a system for registering and managing selected digital services (hereinafter referred to as "usage support system"): <Newly Inserted on Jan. 11, 2022> |
1. | Cloud computing services; |
2. | Services that support cloud computing services; |
3. | Services that combine cloud computing technologies with other technologies and services, such as intelligent information technologies. |
(4) | Other matters necessary for the selection of digital services and the establishment and operation of a usage support system shall be prescribed by Presidential Decree. <Newly Inserted on Jan. 11, 2022> |
[Title Amended on Jan. 11, 2022]
Article 23-2 (Security Certification of Cloud Computing Services) | |
(1) | The Minister of Science and ICT may grant certification (hereinafter referred to as "security certification") to cloud computing services that meet the security certification standards, in order to improve and guarantee the level of protection of information, as prescribed by Presidential Decree. |
(2) | The effective period of security certification shall be a period prescribed by Presidential Decree not exceeding five years, in consideration of certification services and other factors, and a person who intends to extend the effective period of security certification shall apply for the renewal of the effective period, as prescribed by Presidential Decree. |
(3) | Cloud computing service providers may indicate security certification on the cloud computing services which have obtained security certification. |
(4) | No person shall place a mark of security certification or a mark similar thereto on the cloud computing services that have not been granted security certification. |
(5) | The Minister of Science and ICT may require the Korea Internet and Security Agency under Article 52 of the Act on Promotion of Information and Communications Network Utilization and Information Protection, or an institution designated by the Minister of Science and ICT pursuant to Presidential Decree (hereinafter referred to as "certification institution") to perform the following affairs related to security certification: |
1. | Assessment to verify whether the relevant service complies with security certification standards (hereinafter referred to as "assessment of certification"); |
2. | Deliberation on the results of assessment of certification; |
3. | Issuance and management of security certificates; |
4. | Follow-up management of security certifications; |
5. | Fostering and qualification management of security certification assessors; |
6. | Other affairs regarding security certification. |
(6) | Where necessary to efficiently conduct the affairs regarding security certification, the Minister of Science and ICT may designate an institution that conducts assessment of certification (hereinafter referred to as "assessment institution"). |
(7) | An assessment institution may collect fees from persons who intend to obtain security certification, as prescribed by Presidential Decree. |
(8) | Matters necessary for the subject matters of security certification under paragraph (1), an extension of the effective period under paragraph (2), and the standards and procedures for, and the effective period, etc. of, designation of a certification institution and an assessment institution under paragraphs (5) and (6) shall be prescribed by Presidential Decree. |
[This Article Newly Inserted on Jan. 11, 2022]
CSAP Certification Consulting Services
We provide the following consulting services to companies seeking CSAP certification.
1) We provide the necessary advice for companies to meet the CSAP certification requirements (14 areas, 64 items, and 100 details in the case of a "Low" level) before applying for a CSAP certification audit. In this process, if gaps are identified in security controls such as corporate risk assessment, vulnerability inspection, and legal compliance, we can provide additional advice to the companies to improve the gap.
2) We provide documentation** and advice necessary for companies to apply for CSAP certification to a certification body*.
*Certification body: Korea Internet & Security Agency (KISA)
**Documentation: Application letter, Certification application form, Asset list in the certification scope, Statement of Scope (SOS), Statement of Applicability (SOA), Vulnerability inspection and penetration test agreement
3) We provide advice necessary for companies to prepare for and respond to a pre-audit by an audit agency*.
*Audit agency: Korea Information and Communication Promotion Association (KAIT)
4) We provide advice necessary for companies to prepare for and respond to on-site audits, vulnerability inspections, and penetration tests by audit agencies. During this process, if request for evidence from audit agencies, demonstrations, on-site observations, etc. are expected, we can provide additional necessary advice to companies.
4) We provide advice necessary to improve audit results, that is, findings.
5) We provide advice necessary for companies to prepare for and respond to the verification of remediation measures (checking whether or not they are implemented) by the audit agency. When a company obtains CSAP certification for the first time (validity period of 5 years) or renews CSAP certification, and when there are requirements from CSAP certification bodies and certification committees, we provide necessary advice to companies.
The consulting period can range from 5 to 10 months depending on the scope of the company's CSAP certification (e.g. IaaS, SaaS / "Low" level) and the scope of consulting contracted with the company. The consulting process is as follows.
1) Provide basic consultation according to company inquiries.
During the consultation process, we check the minimum corporate security control and security organization necessary to prepare for the company's CSAP certification. Depending on the result, consulting may be withheld.
2) Provision of quotation and standard contract (SOW) considering the scope of consulting work and execution period.
If the company pays the auditor's certification fee on our behalf, the budget may be included in the estimate.
3) Contract signing
4) Consulting
5) Termination of contract
The following is the legal basis for CSAP certification.
[Title Amended on Jan. 11, 2022]