The second point is a comprehensive strengthening of the effectiveness of the Information Security Management System (ISMS·ISMS-P) certification.

The Personal Information Protection Commission and the Ministry of Science and ICT announced on December 8, 2025, that they will proceed with a system reform to enhance the effectiveness of the Information Security Management System (ISMS) certification and the Information Security and Personal Information Protection Management System (ISMS-P) certification based on the Information and Communication Network Act Article 47 and the Personal Information Protection Act Article 32-2. 

This is because incidents have been repeated in 2025, leading to increased criticism that "the certification does not keep up with reality."

Accordingly, it was announced that the previously voluntary ISMS-P certification will be made mandatory for key public and private personal information processing systems (major public systems, telecom companies, large-scale platforms, etc.) to establish a constant personal information safety management system.

Additionally, stronger certification standards will be developed and applied to large companies with significant national influence, such as telecom companies and large platform operators. The Personal Information Protection Commission and the Ministry of Science and ICT plan to promptly push for amendments to the Personal Information Protection Act and the Information and Communication Network Act for this purpose. 

The examination method will be thoroughly strengthened by pre-verifying key items during the preliminary review and enhancing technical reviews and on-site verification audits. An industry-specific certification committee will be operated, and auditors will be educated on new technologies such as AI to enhance the professionalism of the certification. 

Post-management will also be dramatically strengthened. If a data breach occurs at a certified company, a special post-audit will be conducted promptly to verify compliance with certification standards. If significant defects in certification standards are found during the post-audit process, certification can be canceled through review and resolution by the certification committee. Moreover, for companies involved in incidents, the personnel and duration of post-audits will be doubled, and the causes of incidents and measures for preventing recurrence will be intensively inspected. 

Many companies have so far considered that "once you get certified, it's over," akin to a license. All that was needed for renewal was proper documentation. However, the repeated hacking incidents at certified companies have rendered the phrase "We are ISMS certified..." ineffective, collapsing the trust of the public and investors.

In this context, technical reviews such as vulnerability diagnostics and penetration testing, and on-site verification centered on key systems will be strengthened. You cannot pass with just documentation; the actual safety of the system must be confirmed. A special post-audit will be conducted if a data breach occurs. Certification can be revoked if major defects are found.

In short, certification is no longer a 'once and for all' — it marks the beginning of constant management and proof. SK Telecom has maintained its certification despite neglecting vulnerabilities for eight years. However, in the future, certification may be canceled following a special review in the event of a major incident. It's changed from "once and for all" to "continuous proof is required for maintenance." This means an era is opening where "proof of operation worthy of maintaining certification" becomes more important than "holding the certification" itself.

From a corporate standpoint, the burden may increase, but conversely, it creates a rule whereby companies that genuinely excel can gain trust.

👉 Related link https://www.pipc.go.kr/np/cop/bbs/selectBoardArticle.do?bbsId=BS074&mCode=C020010000&nttId=11660