Table of contents

Check For K Isms Compliance

Topics on this page

Ensure that all AWS services and resources used within your AWS account are K-ISMS compliant in order to help your organization meet compliance requirements more effectively when it comes data protection in the cloud. The Information Security Management System (ISMS) is an extensive set of frameworks that contain policies and procedures to consistently protect sensitive data against various cyber threats available nowadays. Korea-Information Security Management System (K-ISMS) is a Korean government-backed standard promoted by Korea Internet and Security Agency (KISA) in affiliation with the Korean Ministry of Science and ICT (MSIT). K-ISMS was created in 2002 to meet legal and Information and Communications Technology (ICT) environment requirements in South Korea based on Article 47 (ISMS certification) in Act on Promotion of Information Communications Network Utilization and Information Protection. K-ISMS represents the standard for evaluating whether IT companies and organizations operate and manage their information security management systems securely and constantly by thoroughly protecting their information assets. Basically, K-ISMS is a certification system to assess if an organizations information security management system is well-established, properly managed and operated. Amazon Web Services was the first global cloud service provider (CSP) to obtain the K-ISMS standard certification. The AWS regions that are covered by the AWS K-ISMS certification are ap-northeast-2 region (Asia Pacific - Seoul) and the Amazon Edge location located in Seoul, South Korea.

As per Shared Responsibility Model, AWS K-ISMS certification demonstrates the "Security of the Cloud," enabling AWS customers to focus their resources on items related to "Security in the Cloud" in connection with their K-ISMS certification process. As a customer who uses AWS services and resources to store, process or transmit sensitive data within South Korea, you can use the work that AWS has done, to reduce the time and cost of getting your own K-ISMS certification and rely on Amazon Web Services infrastructure to build your K-ISMS-compliant cloud applications. But since security and compliance is a shared responsibility between AWS and its customers, you should carefully consider the cloud components you choose to work with, as your responsibilities depend on the AWS services used, the integration of those services into your application environment, and any applicable regulations. Therefore, to achieve and maintain K-ISMS compliance, use only the AWS services (and their resources) listed below:

  • Amazon API Gateway
  • Amazon CloudFront
  • Amazon DynamoDB
  • Amazon ElastiCache
  • Amazon Elastic Block Store (EBS)
  • Amazon Elastic Compute Cloud (EC2)
  • Amazon Elastic MapReduce
  • Amazon Glacier
  • Amazon Redshift
  • Amazon RDS
  • Amazon Route 53
  • Amazon Simple Queue Service (SQS)
  • Amazon Simple Storage Service (S3)
  • Amazon Simple Workflow Service (SWF)
  • Amazon Virtual Private Cloud (VPC)
  • AWS CloudFormation
  • AWS CloudTrail
  • AWS Config
  • AWS Database Migration Service
  • AWS Direct Connect
  • AWS Elastic Beanstalk
  • AWS Identity & Access Management (IAM)
  • AWS Key Management Service
  • AWS Lambda
  • AWS Storage Gateway
  • AWS WAF
  • AWS Elastic Load Balancing
  • AWS VM Import/Export

Review the updated list of AWS services that are in scope for the K-ISMS certification before you design, create, modify or upgrade your K-ISMS-compliant application and its AWS cloud environment.

An example of non-compliant K-ISMS service is Amazon DocumentDB, a fast, scalable, highly available and fully managed document database service that supports MongoDB workloads, as AWS DocumentDB resources are not yet K-ISMS-compliant. Because AWS DocumentDB service is not yet eligible, your cloud application will fail to achieve K-ISMS compliance as long as is storing, processing or transmitting sensitive data using DocumentDB resources such as NoSQL database clusters. As a consequence, Cloud Conformity recommends that you terminate any non-compliant K-ISMS AWS resources in order to meet K-ISMS compliance requirements within your AWS account. To help you and your organization maintain Korea Information Security Management System (K-ISMS) compliance, Cloud Conformity monitors your Amazon Web Services account in real time and sends notification alerts as soon as an AWS resource is created outside the K-ISMS security standard.