Ahead of the enforcement of the "Act on the Reporting and Use of Specific Financial Transaction Information (Special Act)," companies dealing with virtual currency must obtain Information Security Management System (ISMS) certification.
ISMS certification is a system in which companies or institutions certify that information protection operations and management levels meet certain standards.
In the case of cryptocurrency exchanges, real-name account certification is required from banks under the Special Act, and the criteria for this is ISMS certification. This means that if you do not get the certification, you will not even be eligible for real-name account screening, and if you do not get the account, the exchange should be closed.
What is ISMS and ISMS-P?
ISMS is a certification of the information protection framework of enterprises and institutions. Information communication services and all information systems, personnel and physical locations for the provision of services must be included.
This means that if ISMS is obtained, important information assets such as corporate information, industrial confidentiality, and personal information held by companies and organizations will be certified by the state in a safe and reliable manner.
ISMS-P is virtually the most extensive information protection authentication system. ISMS-P is a concept that certifies both corporate and institutional information protection systems and privacy areas. Information system services, including ISMS's certification scope and all services corresponding to the personal information flow under the Life Cycle (collection, retention, use, provision, termination) are analyzed in detail. In other words, ISMS-P certifies that it protects privacy more closely in almost all domains.
ISMS certification is quite a complicated procedure. In particular, ISMS-P is more difficult.
ISMS must pass a total of 80 evaluation items, and ISMS-P must pass 102 items.
ISMS, ISMS-P Certification Evaluation Topics
The ISMS certification process begins with establishing an annual plan for information protection. In this process, a management system based on certification standards will be established and operated.
Once the application is received, a preliminary inspection will be conducted on the scope of certification and the preparation status of the applicant company. If the inspection is passed, the screening schedule will be confirmed and the fee will be paid to the full-fledged screening stage. For reference, a 30% discount will be given to "small and medium-sized enterprises" or "information protection disclosures", and a 20% discount will be given to "some parts of the review (ISO/IEC 27001 and "Vulnerability checks of major information and communication infrastructure").
The certification examination consists of written and on-site examination, which examines whether the management system is well established and whether the established system is properly implemented. It is also requested to supplement and take action against defects in this process.
After the on-site confirmation of whether supplementary measures for defects found during the examination have been implemented, a report on the results of the examination will be prepared, and a certificate will be issued if there is no problem.
A post-examination is conducted every year after the certificate is issued. The validity period of the certificate is three years and must be re-certified through a renewal review at the end. Of course, if they fail to pass the renewal screening process, the certification will be automatically revoked.
Meaning of obtaining ISMS certification
There are many benefits to obtaining ISMS certification. There are various institutional benefits such as a perfect score (5 points) for the information protection certification company in the "Work Performance Assessment Sheet", a replacement for some ESG evaluations for listed companies, and additional points for selecting contractors in purchasing, manufacturing, service and construction.
However most of all, the most significant is the fact that the state guarantees that it has the ability to safely manage information protection.
In particular, continuous and systematic risk management for information protection is paramount as recent industrial flows have developed in a direction closely related to the network.
There are many companies that are already certified for systematic risk management in various fields as well as in the virtual currency industry. Not only NC Soft, a leading game industry leader, but also Dabang, an Internet real estate company, completed its ISMS-P certification in May. Large cryptocurrency exchanges such as Bithumb, Upbit, and Korbit have already got ISMS certification.
In addition, more and more companies are stepping up preparations for certification. Coco Entertainment Korea is stepping up efforts to establish a system to prepare for ISMS certification, and is also preparing for certification by the International Standardization Organization such as ISO 27001 to protect customers' information.
This means that an entity that has obtained ISMS certification is capable of managing the highest level of information protection risk. It is even more meaningful because it is a certificate that customers can entrust their assets with confidence, even if it is not because of the special law.
ISMS certification means that the state guarantees that it is an enterprise capable of managing information protection risk
In addition, it is also positive that virtual currencies will be protected by institutional rights. As ISMS certification authority is a national institution, legal compliance with personal information protection can be secured. Financial Services Commission Chairman Eun Sung-soo's recent remarks that "a safe cryptocurrency exchange that has been reported can naturally protect investment funds" are based on ISMS certification and others.
ISMS certification has thus become a necessity for businesses. Among companies that are not designated as mandatory for certification, many apply for it. Just as we trusted KS mark products as quality products, ISMS certification became an indicator of the stability of information protection.