Republic of Korea: Adopted Simplified Certification System for Information Security and Personal Information Protection for SMEs

On 23 July 2024, the Ministry of Science and ICT, the Personal Information Protection Commission, and the Korea Internet and Security Agency adopted the Simplified Certification System for Information Security and Personal Information Protection tailored for small and medium-sized enterprises (SMEs). This system is designed for SMEs with ICT service sales under KRW 30 billion or those exceeding this threshold but lacking major information and communication facilities. However, critical information and communication service providers, operators of integrated information and communication facilities, certain tertiary hospitals and universities, financial companies, and virtual asset businesses are excluded from this simplified certification. The new system certifies that a company's information security and personal information protection management systems comply with the criteria set out in the Information and Communications Network Act and the Personal Information Protection Act. It addresses challenges faced by SMEs under existing certification systems, which are typically geared towards larger enterprises and involve complex criteria and high costs.