Journal of the Korea Academia-Industrial cooperation Society (한국산학기술학회논문지)

The Korea Academia-Industrial cooperation Society (한국산학기술학회)
권호 표지
DOI QR코드

DOI QR Code

Effective Management of Personal Information & Information Security Management System(ISMS-P) Authentication systems

정보보호 및 개인정보보호 관리체계(ISMS-P) 인증제도의 효과적인 운영방안

  • Hong, Sung Wook (Department of Financial Technology Convergence, Soongsil University) ;
  • Park, Jae-Pyo (Graduate School of Information Science, Soongsil University)
  • 홍성욱 (숭실대학교 일반대학원 금융기술융합학과) ;
  • 박재표 (숭실대학교 정보과학대학원 정보보안학과)
  • Received : 2019.08.21
  • Accepted : 2020.01.03
  • Published : 2020.01.31
Download PDF
⟨ Previous Next ⟩

Abstract

The information security management system (ISMS) and the personal information management system (PIMS) have been integrated into a personal information & information security management system (ISMS-P) certification scheme in response to requests to reduce the time and cost to prepare certification schemes. Integration of the certification system has made it possible for the system operator to gain the advantage of easy management of the ISMS-P certification system, and the certification target organization can enjoy the advantage of easy acquisition and maintenance of certification. However, ambiguity in the application criteria of the target organization, and ambiguity in the certification criteria control items require the target organization to operate an excessive management system, and the legal basis to be applied to the certification target organization is ambiguous. In order to improve these problems, this paper uses case studies to identify the types of certification bodies that apply the certification criteria, and to change the control items applied during certification audits based on the types of certification bodies. Institutions that wish to obtain only ISMS certification have proposed three solutions, excluding controls covered by the ISMS-P. This paper suggests ways to operate an efficient certification system, and can be used as a basis for improving problems in the ISMS-P certification system.

정보보호 관리체계(ISMS)와 개인정보보호 관리체계(PIMS)는 인증제도의 준비를 위해 소요되는 시간과 비용을 줄여달라는 요구에 따라 정보보호 및 개인정보보호 관리체계(ISMS-P) 인증제도로 통합되었다. 인증제도 통합으로 제도 운영자는 ISMS-P 인증제도 관리의 용이성을, 인증 대상기관은 인증취득 및 유지의 간편함이라는 장점을 얻을 수 있게 되었으나, 모든 유형의 인증 대상기관에 동일한 인증기준을 적용하면서 생기는 인증 대상기관별 인증기준 적용기준의 모호성과 인증 대상기관에게 과도한 관리체계 운영을 요구하는 인증기준 통제항목의 모호성, 인증 대상기관에 적용해야 할 법적 근거가 모호한 문제점이 발생하였다. 이러한 문제점을 개선하기 위하여 본 논문에서는 사례연구를 통해 인증기준을 적용하는 인증 대상기관의 유형 구분, 인증 대상기관의 유형에 따라 인증심사 시 적용하는 통제항목의 변경, ISMS 인증만 취득하려는 기관에 대해서는 ISMS-P에서 적용하는 통제항목을 제외하는 세 가지 해결방안을 제시하였다. 본 논문은 효율적인 인증제도의 운영을 위한 방안을 제시하고 향후 ISMS-P의 인증제도에서 발생하는 문제점을 개선할 수 있는 근거로 활용될 수 있을 것이다.

Keywords

References

  1. KISA. ISMS-P Introduction of KISA ISMS-P Certification System[Internet]. KISA, c2019[cited July, 28, 2019], https://isms.kisa.or.kr(Accessed July, 28, 2019)
  2. ISO Association. Introducing ISO27001[Internet]. ISO.org, c2019, [cited July, 28, 2019], https://www.iso.org/isoiec-27001-information-security.html(Accessed July, 28, 2019)
  3. PCI Security Standards Committee, Introduction to PCI-DSS[Internet]. Payment Card Industry Security Standards Council, c2019, [cited July, 28, 2019], https://www.pcisecuritystandards.org(Accessed July, 28, 2019)
  4. BSI Group, Introduction to BS10012[Internet]. BSI group, c2019, [cited July, 28, 2019], https://www.bsigroup.com/ko-KR/BS_10012(Accessed July, 28, 2019)
  5. EU GDPR.ORG, Introduction to GDPR[Internet]. Payment Card Industry Security Standards Council, c2019, [cited July, 28, 2019], http://eugdpr.org/the-regulation(Accessed July, 28, 2019)
  6. KISA, Cloud Security Certification[Internet]. KISA, c2019, [cited July, 28, 2019], https://isms.kisa.or.kr (Accessed July, 28, 2019)
  7. KISA, Introduction to Information Security Management Grade[Internet]. KISA, c2019, [cited July, 28, 2019], https://isms.kisa.or.kr(Accessed July, 28, 2019)
  8. KISA, Introduction to PIMS[Internet]. KISA, c2019, [cited July, 28, 2019], https://isms.kisa.or.kr(Accessed July, 28, 2019)
  9. Information Protection Mark Certification Committee, Introduction to ePrivacy[Internet]. Information Protection Mark Certification Committee, c2019, [cited July, 28, 2019], http://www.eprivacy.or.kr (Accessed July, 28, 2019)
  10. Types of PIMS Applicants, PIMS Certification Scheme, pp.17
  11. ISMS certification audit control item, Detailed inspection items of ISMS-P certification standard, pp.2
  12. National Law Information Center, Introduction to law[Internet]. Law Information Service, c2019, [cited July, 28, 2019], https://www.law.go..kr(Accessed July, 28, 2019)