Management and Physical Risk Assessment for Critical Information and Communication Infrastructure (2026 Version)

Developed to submit annual performance records, including the establishment of information security regulations and the preparation of various activity evidence, by applying domestic and international certification standards for Information Security Management Systems (ISMS) and internal/external audit criteria to the revised Risk Assessment standards for the Management and Physical sectors of Critical Information and Communication Infrastructure in the second half of 2025. The plan is designed to prepare for changes in the external environment (AI, etc.), internal environment (new systems and changes in employees/external staff), and new evaluation indicators and legal amendments. It aims to establish activity plans to advance information security levels compared to the previous year. Specifically, it involves objectively and meticulously inspecting various activities to strengthen accident prevention systems—such as personal information leaks caused by hacking—and establishing plans for the headquarters to supervise all departments and ensure the secure management of contractors. This includes operating DevSecOps systems following the introduction of AI systems and implementing Privacy by Design (PbD) adequacy review frameworks. The execution is based on expanding monitoring and periodic inspection report areas, external disclosure areas, data linkage system inspections (API, MyData, etc.), establishing network separation improvement plans according to N2SF, and advancing Zero Trust implementation. *Possessing over 150 references for establishing and applying the world's first and highest-level information security and personal information protection activities and system enhancement plans.