Republic of Korea: Personal Information Protection Commission and the Ministry of Science and Information and Communication Technology announced measures to strengthen effectiveness of security management systems certification

On 6 December 2025, the Personal Information Protection Commission (PIPC) and the Ministry of Science and Information and Communication Technology (MSICT) announced measures to strengthen the effectiveness of the Information Security Management System (ISMS) certification and the Information Security and Personal Information Protection Management System (ISMS-P) certification, citing repeated hacking and large-scale personal-data leakage incidents involving certified enterprises. The announcement confirmed that ISMS-P certification will become mandatory for major public- and private-sector personal-information processing systems and that enhanced certification criteria will apply to telecommunications providers and large-scale platform operators. It specified strengthened audit methods through prior verification of core items, expanded technical and field-verification audits, and enhanced auditor training, as well as reinforced post-management through special post-audits in the event of data-leakage incidents, expanded inspection personnel, and possible certification cancellation where serious defects are identified. The authorities noted that amendments to the Personal Information Protection Act and the Information and Communications Network Act will be pursued and that joint work through an inter-agency task force will support phased implementation of the revised certification framework.