JV Logo
MGL KOR ENG
ISO/IEC 27001:2022 · Information Security

Security speaks
through certification

Received an ISMS / ISMS-P mandatory certification notice?
An integrated strategy to prepare ISO 27001 and ISMS-P at once — designed directly by a former auditor.

3-Minute Free Self-Assessment Get a Quote View Details

What is ISO 27001

ISO/IEC 27001 is the international standard for an Information Security Management System (ISMS). Beyond individual devices or solutions that protect information, it calls for a management-level governance system that identifies, controls, and continually improves on risk. The 2022 revision (27001:2022) consists of 7 management clauses in the main body plus 93 controls across 4 themes, and serves as the common language of information security recognized anywhere in the world.

93

Annex A controls (2022 revision)

4 themes

Organizational · People · Physical · Technological

3 years

Certificate validity (annual surveillance audit)

Why you need it now

A single ransomware hit can halt a plant, and one leaked record can end a deal. Security is no longer the IT department's concern alone — it is a matter of the company's survival. ISO 27001 is the answer to three pressures.

  • Regulation The Personal Information Protection Act, the Network Act, and — for overseas trade — even the GDPR all demand evidence that you have a security management system in place.
  • Trade Large enterprises, financial institutions, and public agencies set ISO 27001 or ISMS-P as a baseline requirement for supplier registration and tenders.
  • Trust In investment due diligence and global customer contracts, it proves on a single page that you are "a company that got security right from the start."

ISO 27001 vs. ISMS-P — What's the Difference

When you start researching information security certification, ISO 27001, ISMS, and ISMS-P all show up at once and it's easy to get confused. The three are not competitors but siblings sharing the same roots. ISMS-P is a scheme built on the international foundation of ISO 27001, with Korea-domestic regulation and personal information protection added on top.

Category ISO 27001 ISMS-P
Nature International standard (globally recognized) Korea-domestic certification (statutory scheme)
Governing bodies ISO/IEC, accreditation bodies (e.g., KAB) Ministry of Science and ICT & PIPC; audited by KISA
Obligation Voluntary (effectively essential as a trade requirement) Network Act Article 47 — legally mandatory above a certain size
Personal data protection Security-focused (personal data covered in part) Information protection + personal data protection combined (includes "P")
Strength Overseas trade · global customers · investment due diligence Meeting domestic legal obligations · public tenders

※ ISMS certifies information protection only, while ISMS-P is the higher-tier certification that adds personal information protection (Privacy) on top. If your service handles personal data, ISMS-P is the benchmark.

Why You Should Prepare Both Certifications Together

Many companies obtain ISMS-P first because it's mandatory, then later pursue ISO 27001 separately once overseas business arises. Yet the two certifications share more than 70% of their controls. Prepare them separately and you do the same work twice; prepare them together and one build earns you both certificates.

Preparing Separately
  • Writing risk assessments, policies, and documents twice
  • Paying for audits and consulting twice
  • Repeating staff interviews and evidence collection twice over
  • Renewal and surveillance schedules running separately, adding management burden
Preparing Together
  • Designing shared controls at once from a single risk assessment
  • Submitting the same documents and evidence to both audits
  • Domestic obligation (ISMS-P) and global trust (ISO 27001) in one go
  • Operating and renewing as one unified system to simplify management

The key is the design. Look at both certifications together from the start and map the controls, and one build earns you both certificates. Obtain one first and try to retrofit the other, and you end up reworking it in the end. That is why the consulting that sets which order to follow and which controls to share is what decides the cost.

Key Requirements of ISO 27001:2022

ISO 27001 has two major parts: the main body (Clauses 4–10), which sets how the company is run, and Annex A (93 controls), the actual list of security measures.

① Management System Main Body — Clauses 4–10

Clause 4

Context of the Organization

Internal/external issues, interested-party needs, and defining the scope

Clause 5

Leadership

Top-management commitment, the information security policy, roles and responsibilities

Clause 6

Planning

Risk assessment and treatment, the Statement of Applicability (SoA), security objectives

Clause 7

Support

Resources, competence, awareness, communication, documented information

Clause 8

Operation

Operational control of risk assessment execution and risk treatment actions

Clauses 9 & 10

Performance Evaluation & Improvement

Internal audit and management review, corrective action for nonconformities, continual improvement

② Annex A — 93 Controls Across 4 Themes

37

A.5 Organizational Controls

Company-wide rules such as information security policies, asset management, access control policy, supplier and cloud security, incident management, and threat intelligence

8

A.6 People Controls

People-related controls such as pre-employment screening, confidentiality agreements, training and awareness, disciplinary process, remote working, and security event reporting

14

A.7 Physical Controls

Controls over space and equipment such as entry control, secure areas, equipment protection, cabling and storage media management, and physical security monitoring

34

A.8 Technological Controls

Technical measures such as access rights, encryption, backup, logging and monitoring, network and web filtering, secure coding, and data leakage prevention

New in 2022 11 Newly Added Controls

The 2022 revision added 11 new controls to reflect the shift to cloud and the evolving threat landscape. Companies certified under the older version (2013) need a transition audit.

Threat intelligence Cloud service security ICT readiness for business continuity Physical security monitoring Configuration management Information deletion Data masking Data leakage prevention Monitoring activities Web filtering Secure coding

Certification Process

1

Gap Analysis

Diagnose the gap between your current security posture and the ISO / ISMS-P benchmarks

2

Risk Management

Identify information assets and establish a risk assessment and treatment plan

3

SoA & Build

Write the Statement of Applicability, implement controls, and operate policies and procedures

4

Certification Audit

Stage 1 document review and Stage 2 on-site audit confirm the controls are operating

5

Certification & Surveillance

Certificate issued (3 years), with an annual surveillance audit to maintain the system

Why the Choice of Consultancy Decides the Outcome

Information security certification is not about receiving a stack of documents — it is about building a system that genuinely runs inside your company. Even with the same certificate, what happens after certification differs entirely depending on the partner you chose.

The Cost of the Wrong Choice

  • · A vendor that just produces documents and leaves you with no operating evidence — leading to corrective action and re-audits
  • · A merely formal system that fails to work in the face of an actual breach
  • · Without knowing your industry's risks, unnecessary controls pile up while the essentials are left empty
  • · The cost of having to find a new vendor again at renewal and surveillance

What Makes a Good Partner

  • · An expert who knows the audit floor designs around "what the audit actually looks for"
  • · Controls chosen to fit your industry's risk profile (SaaS, fintech, manufacturing, etc.)
  • · Integrated design that views ISMS-P and ISO 27001 together to eliminate duplication
  • · One team that stays with you through renewal and operation, not just certification

Why Just Verify Is Different

Former Auditors

Experienced auditors take 1:1 ownership. We design a system that is genuinely effective — not just one that passes the audit.

Integrated Design

We map ISMS-P and ISO 27001 together from the start, preparing both certifications in a single build.

500 Enterprises

A cumulative track record of 500 certified enterprises and industry-specific know-how reduce trial and error.

Expected Benefits

Trust

Win Trade Trust

Prove your security posture to customers and partners on a single page

Regulation

Meet Legal Obligations

Address the requirements of the Personal Information Protection Act and the Network Act at once

Tenders

Tender Bonus Points

Secure mandatory requirements and bonus points when bidding on public and financial projects

Cost

Prevent Incident Costs

Head off the compensation, recovery, and trust losses caused by a breach before they happen

Frequently Asked Questions

How do ISO 27001 and ISMS-P differ, and why prepare them together?
ISMS-P is a Korea-domestic certification operated by the Ministry of Science and ICT and the Personal Information Protection Commission and audited by KISA. Under Article 47 of the Network Act (Act on Promotion of Information and Communications Network Utilization), companies above a certain size are legally required to obtain it. ISO 27001 is an international standard with no legal mandate, but it is essential for overseas trade and serving global customers. The two certifications share more than 70% of their controls, so building one system to obtain both lets you share documents and evidence, significantly reducing cost and timeline.
Do we have to implement all 93 controls of ISO 27001:2022?
No. Controls may be excluded based on the results of your organization's risk assessment. You simply document the applicability of each control and its rationale in the Statement of Applicability (SoA). The 2022 revision reorganized the previous 114 controls across 14 domains into 93 controls across 4 themes, and introduced 11 new controls including cloud security and threat intelligence.
How do we determine whether our company is subject to mandatory ISMS-P?
Under Article 47 of the Network Act, mandatory targets include ISPs and IDC (data center) operators, information and communications service providers with prior-year revenue of KRW 10 billion or more, services averaging 1 million or more daily users over the three months before year-end, tertiary general hospitals with annual revenue/receipts of KRW 150 billion or more, and universities with 10,000 or more enrolled students. Even if you are not a mandatory target, certification is frequently required as a client or tender condition — so if you have received an official notice, we recommend first assessing whether you are in scope.
Can companies in cloud environments (AWS / Azure / GCP) obtain it?
Yes — in fact, it is even better suited to cloud companies. ISO 27001:2022 added Cloud Service Security (5.23) as a new control. You simply systematize access control, encryption, and logging/monitoring in line with the shared responsibility model of AWS, Azure, and GCP. For SaaS, fintech, and healthcare startups, it serves as powerful proof of trust in enterprise sales and investment due diligence.
Why does choosing the right certification consultancy matter so much?
Information security certification is not a matter of handing over a stack of documents — it is about building a system that genuinely operates. A system that is only formally compliant gets flagged for corrective action during the audit, or even once certified, fails to work in the face of an actual breach. It takes an expert who knows the audit floor to design controls that fit your industry's risks, so that you gain both certification and real effectiveness. At Just Verify, a former auditor takes 1:1 ownership, designs ISMS-P and ISO 27001 in an integrated way, and stays with you through renewal after certification.

Start your information security certification with an integrated strategy

30-day average completion, 30% cost reduction, and a cumulative track record of 500 certified enterprises. Just Verify guides you down the path of preparing ISMS-P and ISO 27001 at once.

3-Minute Free Self-Assessment Get a Free Quote ISO Auditor Training Program