South Korean cryptocurrency exchange GOPAX has become the first blockchain company to attain K-ISMS certification, the official standard in Korea for information security management systems. This is an important sign of approval by the Korean government regarding GOPAX’s cybersecurity infrastructure.
K-ISMS certification is an official domestic standard regarding the establishment, management and operation of information security systems for selected industries including server hosts, portal services and internet service providers. Based on Article 47 of the Act on Promotion of Information and Communications Network Utilization and Information Protection (“the Network Act”), the certification carries significance for the blockchain sector as it signals that blockchain companies possess the capacity to manage and operate information security systems at a level on par with much more established corporations and businesses, specifically those in the technology and financial sectors.
In an interview with Bitcoin Magazine, Myeonghun Baek, the chief information security officer (CISO) at GOPAX, explained, “K-ISMS certification is mandatory for companies above a certain level in terms of either sales or user numbers that utilize information communication networks. GOPAX is currently not at that level, and thus didn’t need to obtain certification, but we voluntarily underwent the K-ISMS audit to become certified. As there is no official operating standard for blockchain companies currently in place, GOPAX receiving K-ISMS certification is a sign that it is willing to be ahead of legislation and set an operating standard for other blockchain companies.”
The K-ISMS certification process takes place through the Korea Internet and Security Agency (KISA), which operates a team of specially trained auditors to examine the applying companies, along with a committee that evaluates the audit results.
The audit itself covers two major areas: information security management processes and information security measures. The former consists of 5 individual categories that are examined, including management responsibilities and organizational structure, and risk management and post-incident management, while the second is composed of 13 categories, such as information security policy, information security organization, external security, the categorization of information assets and information security training.
This is not GOPAX’s first step toward government compliance. Last July, the company was ISO/IEC 27001–certified, and was ultimately the first cryptocurrency exchange in the world to become so. ISO/IEC 27001 is a global information security management standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). It works as a standard used between companies on an international level, which according to Baek suggests that GOPAX meets certain standards around the globe and can thus operate on a level that ensures basic competence regarding information security management.
“For operating within the bounds of Korea, K-ISMS is still more significant because it offers tangible benefits when operating a relevant business within Korean jurisdiction, as well as discounts when applying for information security insurance and bonus points during KISA’s information security evaluations,” said Baek. “Companies looking to scale within the financial and tech sectors will eventually be required to obtain K-ISMS certification or face penalties.”
Baek mentions that under the Network Act, cryptocurrency exchanges are presently identified as “information and communications service providers” rather than financial institutions. Thus, they fall under the jurisdiction of the Korean Ministry of Science and ICT (MSIT) rather than Korea’s Financial Services Commission (FSC), but he believes this opens yet another door for GOPAX and its staff.
“It’s different from countries like Japan, where the overarching organization regarding crypto exchanges is the Financial Services Agency,” he stated. “However, the blockchain industry has been requesting the government to establish a set of rules so that the companies know what is out of bounds when it comes to operating a blockchain company.”
He continued, “While nothing official has come out in that regard, it is also up to the companies themselves to demonstrate that they can operate up to standards that are currently in place for other companies in the tech sector. By achieving K-ISMS certification, GOPAX has shown that it is capable and serious about legal compliance, and we feel this move can inspire other companies to follow suit. That would show that the companies in this sector are interested in compliance and in cooperating with the government to establish a set playing field and to operate in a transparent manner.”