Compliance Frameworks

KISA ISMS P

2023

kisa_isms_p_2023_aws

101 Requirements

410 Checks

Description

The ISMS-P certification, established by KISA (Korea Internet & Security Agency), is a system where an independent certification body evaluates whether a company or organization's information security and privacy protection measures comply with certification standards, and grants certification. This helps organizations improve public trust in their services and respond effectively to increasingly complex cyber threats. The ISMS-P framework also provides comprehensive guidelines for systematically establishing, implementing, and managing information security and privacy protection.

Check your compliance status

prowler aws --compliance kisa_isms_p_2023_aws

Run in Prowler Cloud

Compliance Frameworks

KISA ISMS P

Description

Compliance MetadataEdit

Check your compliance status

Requirements

The CEO must establish and operate a reporting and decision-making system to ensure executive participation in the establishment and operation of the information protection and personal information protection management system.0 Checks

The CEO must appoint a Chief Information Security Officer (CISO) responsible for information protection and a Chief Privacy Officer (CPO) responsible for personal information protection, both at an executive level with authority to allocate resources such as budget and personnel.0 Checks

The organization must set the scope of the management system by considering its core services and the current state of personal information processing, and document the related services, personal information processing tasks, organizations, assets, and physical locations.0 Checks

The CEO must allocate the necessary resources, including budget and personnel with expertise in the fields of information protection and personal information protection, for the effective implementation and continuous operation of the management system.0 Checks

Organizations must establish classification criteria for information assets according to the characteristics of their operations, identify and classify all information assets within the scope of the management system, assess their importance, and maintain an up-to-date list.5 Checks

Organizations must analyze the status of information services and personal information processing across all areas of the management system, document the procedures and workflows, and review them regularly to maintain their accuracy.0 Checks

The selected protective measures must be effectively implemented according to the implementation plan, and management must verify the accuracy and effectiveness of the implementation results.0 Checks

The departments and personnel responsible for the actual operation or implementation of the protective measures must be identified, and the related information must be shared and provided through training to ensure continuous operation.0 Checks

The organization must regularly identify and reflect legal requirements related to information protection and personal information protection and continuously review whether compliance is being maintained.0 Checks

The organization must audit its management system at least once a year with a team of personnel who possess independence and expertise, to ensure the system is operating effectively in accordance with internal policies and legal requirements, and report any identified issues to management.0 Checks

The root causes of the issues identified during legal compliance reviews and management system inspections must be analyzed, and preventive measures must be established and implemented. The management must confirm the accuracy and effectiveness of the improvement results.0 Checks

Roles and responsibilities related to information protection and personal information protection must be assigned to all members of the organization, and systems must be established for evaluating these activities and for communication between members and departments.0 Checks

The procedures and protection measures for handling information assets according to their purpose and importance must be established and implemented, and the responsibilities for each asset must be clearly defined and managed.9 Checks

Criteria and management plans for key duties, such as handling personal information and important information or accessing key systems, must be established, and the number of key personnel must be minimized and their list kept up-to-date.3 Checks

Criteria for the separation of duties must be established and applied to prevent potential harm from the misuse or abuse of authority. If separation of duties is unavoidable, supplementary measures must be established and implemented.0 Checks

Employees, temporary staff, or external personnel handling information assets or granted access must sign a security and confidentiality agreement in accordance with internal policies.0 Checks

In the event that employees or relevant external parties violate laws, regulations, or internal policies, the organization must establish and implement procedures to take appropriate actions.0 Checks

When using external services or outsourcing work to external parties, the organization must identify the information protection and personal information protection requirements and specify them in contracts or agreements.0 Checks

Security measures specified in contracts, agreements, and internal policies must be regularly inspected or audited to ensure external parties comply with information protection and personal information protection requirements.0 Checks

Access to protected areas must be restricted to authorized personnel only, and entry and access logs should be reviewed periodically to ensure accountability.0 Checks

Information systems should be arranged considering their importance and characteristics to reduce environmental threats, harmful factors, and unauthorized access, and communication and power cables should be protected from damage.0 Checks

Procedures to prevent unauthorized actions and abuse of privileges within secure zones must be established and implemented, and the records of operations should be periodically reviewed.0 Checks

Procedures to control the inbound and outbound movement of information systems, mobile devices, storage media, etc., within secure zones must be established, implemented, and periodically reviewed.0 Checks

Procedures for managing passwords used by users of information systems, as well as customers and members, must be established and implemented, taking into account legal requirements and external threats.13 Checks

Accounts and privileges used for special purposes, such as managing information systems, personal information, and important information, should be granted minimally, separately identified, and controlled.11 Checks

The registration, use, and deletion of user accounts accessing information systems, personal information, and important information, as well as the history of granting, changing, and deleting access rights, should be recorded and periodically reviewed to ensure their appropriateness.14 Checks

The users, access restriction methods, and secure access means for accessing information systems such as servers and network systems must be defined and controlled.24 Checks

Access rights to applications must be restricted according to the user's tasks and the importance of the accessed information, and criteria should be established to minimize exposure of unnecessary or sensitive information.0 Checks

Identify the information stored and managed in the database, such as the table list, and establish and implement access control policies according to the importance of the information and the type of applications and users.37 Checks

Establish and implement management procedures for the secure generation, use, storage, distribution, and destruction of cryptographic keys, and prepare recovery methods if necessary.9 Checks

When introducing, developing, or modifying information systems, security requirements such as legal requirements related to information protection and personal information protection, the latest security vulnerabilities, and secure coding methods must be defined and applied.16 Checks

Development and test systems must, in principle, be separated from production systems to reduce the risk of unauthorized access and changes to the production system.1 Checks

In order to prevent the leakage of operational data during system testing, procedures for the creation, use, management, disposal, and technical protection measures of test data must be established and implemented.1 Checks

Source programs must be managed so that only authorized users can access them, and it is a principle that they should not be stored in the operational environment.2 Checks

When transitioning newly introduced, developed, or modified systems to the operational environment, the process must be controlled, and the executable code must be run according to test and user acceptance procedures.0 Checks

Procedures must be established and implemented to manage all changes to assets related to information systems, and the impact on system performance and security must be analyzed before changes are made.14 Checks

To ensure normal use of the information system and prevent misuse (unauthorized access, excessive queries, etc.) by users, log review criteria for access and usage must be established and inspected periodically, and post-event actions must be taken promptly if issues arise.26 Checks

To ensure the accuracy of logs and access records and provide reliable log analysis, the system time must be synchronized with a standard time and regularly maintained.0 Checks

To prevent the recovery or regeneration of personal and critical information during the reuse and disposal process, secure reuse and disposal procedures for information assets must be established and implemented.0 Checks

When providing electronic transaction and FinTech services, protection measures such as authentication and encryption must be established to prevent data leakage, data tampering, or fraud. The security of external systems, such as payment systems, must be checked when integrated.0 Checks

When connecting devices such as PCs and mobile devices to the network for business purposes, access control measures such as device authentication, approval, access scope, and security settings must be established and periodically checked.6 Checks

Procedures must be established and implemented to prevent the leakage of personal or important information or infection by malware through removable media. Removable media containing personal or important information must be stored in a secure location.0 Checks

To prevent security incidents due to vulnerabilities in software, operating systems, or security systems, the latest patches must be applied. However, if the application of the latest patches is difficult due to service impact considerations, alternative measures must be implemented.14 Checks

To protect personal and important information, information systems, and business terminals from malware such as viruses, worms, Trojans, and ransomware, prevention, detection, and response measures must be established and implemented.0 Checks

To quickly detect and respond to intrusion attempts, personal information leakage attempts, and fraudulent activities from internal or external sources, the organization must collect and analyze network and data flows. Post-monitoring and inspection actions must be timely.28 Checks

Regularly test the adequacy of the disaster recovery strategies and plans, and supplement the recovery strategies and plans based on test results, changes in the information system environment, and legal requirements.33 Checks

When collecting personal information, only the minimum amount of personal information necessary for the intended purpose may be collected, and the data subject must not be denied the provision of goods or services for refusing to consent to optional matters.0 Checks

Resident registration numbers may not be collected, used, or processed unless there is a legal basis for doing so. Even when the processing of resident registration numbers is permitted, alternative methods must be provided, such as through an internet website.0 Checks

In order to process sensitive information and unique identifying information (excluding resident registration numbers), separate consent from the data subject must be obtained unless the processing is specifically required or permitted by law.0 Checks

When collecting and using personal information for marketing purposes, such as promoting goods or services, sales recommendations, or sending advertising information, the purpose must be clearly communicated to the data subject, and their consent must be obtained.0 Checks

The items, volume, purpose and method of processing, and retention period of collected and retained personal information must be regularly managed. In the case of public institutions, such information must be registered with the head of the relevant agency as stipulated by law.2 Checks

Collected personal information must be managed to ensure its accuracy, completeness, and up-to-dateness within the scope necessary for the processing purpose, and procedures must be provided to data subjects to manage their information.0 Checks

When accessing information stored on the user's mobile device or functions installed on the mobile device, it is necessary to notify the user clearly and obtain their consent.0 Checks

When processing pseudonymized information, legal requirements such as purpose limitation, combination restrictions, safety measures, and prohibition obligations must be met, and procedures must be established and implemented to ensure an appropriate level of pseudonymization.0 Checks

When providing personal information to third parties, there must be a legal basis or consent from the data subject, and protection measures must be established and implemented to securely protect personal information during the process of providing access to third parties.0 Checks

When transferring or receiving personal information due to business transfers or mergers, appropriate protection measures such as notifying the data subjects must be established and implemented.0 Checks

When transferring personal information abroad, appropriate protective measures such as obtaining consent and disclosing relevant details about the transfer must be established and implemented.1 Checks

If personal information is retained beyond the retention period or after the purpose of processing has been achieved, as permitted by relevant laws, it must be limited to the minimum necessary items and stored separately from other personal information.0 Checks

The organization must identify matters that must be notified to data subjects, such as the use and provision of personal information, and periodically inform the data subjects of these matters.0 Checks