NAVER Cloud 프라이버시 센터

ISO/IEC 27001 certification(International standard on information security management system)

ISO/IEC 27001 is a certification is achieved by conforming to the guidelines of the ISO/IEC 27001 standard for information security management systems. It certifies that the overall security standard of the NAVER CLOUD services was recognized in the international standard.

ISO/IEC 27017 certification(International standard on information security management system in the cloud service)

Established in 2015, the ISO/IEC 27017 standard provides guidelines for information security controls applied to cloud services and cloud service providers. Certification is achieved by conforming to guidelines for information security policies, information security organization, personnel security, asset management, access control, encryption, operation, communication security, system development security, supply chain management, information security incident control, compliance controls, and additional security controls required for cloud service providers.

ISO/IEC 27018 certification(International standard on protection of personal data in the cloud service)

Established in 2014, the ISO/IEC 27018 standard provides guidelines for protecting personally-identifiable information stored in the public cloud. Certification is achieved by conforming to the standard.

ISO/IEC 27701 certification(International standard of personal information management system)

ISO/IEC 27701 is an international standard in personal information protection, and refers to requirements and guidelines for the protection of personally identifiable information (PII), as well as establishment, implementation, maintenance and continuous improvement of personal information management system.

ISO/IEC 27799 certification(International standard on protection of medical data)

As an international standard certification of the information security management system for medical service or medical information processing organizations to build and operate a medical information protection management system, ISO/IEC 27799 can contribute to the protecting customer's personal medical information using the NAVER CLOUD services.

ISO/IEC 22301 certification(International standard of the business continuity management)

ISO/IEC 22301 is an international standard for Business Continuity Management (BCM), which means that the service continuity of the NAVER CLOUD service verified at an international standard.

[NAVER CLOUD's Certification Status]

NAVER Cloud obtained ISO/IEC 27001 certification for the IT platform service in 2010. We maintain this certification through strict audits to ensure the integrity of our information security control system. Obtaining additional ISO/IEC 22301, 27017, 27018, 27701, and 27799 certifications demonstrates our commitment to providing a stable, reliable cloud service and our dedication to protecting our users’ personal information.

As an audit designed to increase the credibility of services and service organizations, it is internationally regarded as a very strict and reliable certificate. The SOC 1 report, following the SSAE 18 certificate standards established by the AICPA (The American Institute of Certified Public Accountants), details the results of whether the user organization's ICFR-related (Internal Control over Financial Reporting) services are appropriately designed and effectively operated to be fit for control. The SOC 2 and SOC 3 reports contain results of whether organization and service-related procedures of businesses that provide security, availability, processing integrity, confidentiality, and personal information privacy-related services are well-managed and reliable. Not only do organizations need to have appropriate internal control protocols regarding safe provision of services and operations, but the protocols must be verified to have been implemented or are in no violation to be issued an certificate. SOC certificate means a business is implemented and operating at a global-level of internal control, and the certification details are issued in the form of an audit report.

Service Organization Control (SOC) 1 certificate

The SOC 1 report details the results of the adequacy of financial reporting control. Results of the details that confirm whether a user organization's ICFR-related services are appropriately designed and effectively operated to be fit for control.

Service Organization Control (SOC) 2 certificate

The SOC 2 report details the results of the adequacy of a service's security controls. Service organizations' management and user businesses can use this report to examine the internal security controls regarding a company's operations.

Service Organization Control (SOC) 3 certificate

The SOC 3 report is a version of the SOC 2 report that is made to be disclosed to the public. The SOC certificate is an audit designed to increase the credibility of services and service organizations. It is internationally regarded as a very strict and reliable certificate.

[NAVER CLOUD's Certification Status]

NAVER Cloud Corp. receives the SOC 1 certificate regarding the adequacy of a user organization's ICFR-related services. It also has the SOC 2 and SOC 3 certificates that verify the stability of service and the reliability of the service organization. The platform has passed a strict audit process that is focused on the protection of user data, and these certificates recognize that NAVER Cloud Corp.'s personal information management system and internal processes meet or exceed international standards. The NAVER Cloud Corp.'s SOC 3 report details how our internal controls ensure security and privacy for our users.
※ The SOC 1 and SOC 2 certificate reports can only be disclosed to a limited audience for the sake of fulfilling their purpose. Therefore, they are not disclosed to the public.

The Cloud Security Alliance (CSA) issues the Security, Trust, and Assurance Registry (STAR) certification through the Cloud Control Matrix (CCM), which is designed to provide fundamental security principles to guide cloud service providers. CCM v.4 defines 197 control items organized into 17 domains. In addition to evaluating whether control requirements have been met, it also determines the maturity of an organization and its processes and produces a scorecard. Certification is only achieved after an organization passes a rigorous evaluation, which provides an objective, third-party assurance that the service provider’s cloud security controls are effective.

[NAVER CLOUD's Certification Status]

First among the cloud service providers in Korea, the NAVER Cloud Platform and NAVER Cloud Platform[Public Inst] services successfully completed auditing for the CSA STAR certification and received confirmation of having satisfied standard requirements of the British Standards Institution (BSI) as well.

The Payment Card Industry Data Security (PCIDSS) Certification is an international data security standard developed to foster and promote data security for credit card owners and to promote widespread adoption of consistent data security processes. Major credit card companies like VISA, MasterCard, Amex, JCB, and Diners Club are certified by the Payment Card Industry Security Standard Council (PCISSC), which was established to audit and certify service providers.

[NAVER CLOUD's Certification Status]

In 2016, the NAVER Cloud obtained PCIDSS certification in 11 areas, including Applications & Software, Hardware, and Infrastructure & Network, by passing rigorous audits.

The ISMS-P certification proves the adequacy of a series of measures and actions to protect information and personal information in accordance with the certification criteria, which can be provided by the Korea Internet Security Agency or other certification institutes. It can serve as the standard to decide whether a company continues its efforts to secure internal information, whether an adequate level of information security is maintained, and whether the company’s information security management system conforms to the standards set forth by laws and regulations.

[NAVER CLOUD's Certification Status]

NAVER Cloud Corp. obtained the ISMS certification in 2010, and the PIMS certification in 2013, and has maintained an outstanding level of personal information and information security management system, keeping the certifications updated ever since. The latest update includes the newly updated ISMS-P certification in 2019.

Cloud Security Assurance Program (CSAP) IaaS

CSAP is a certification of an organization's compliance with the "Notification of criteria of cloud computing service information protection" requirements issued by the Ministry of Science and ICT. This certification demonstrates that an organization can provide proven stable and reliable cloud services to the public.

Cloud Security Assurance Program (CSAP) SaaS

As a new certification system of 2018 to apply by extending the scope of CSAP IaaS to SaaS, the NAVER Cloud Platform's SaaS also demonstrates high stability and reliability that can be supplied to public institutions.
[Certification for the first time in Korea]

Cloud Service Assurance Program (CSAP) DaaS

It is a certification for desktops-as-a-service provided by cloud services, consisting of 110 control items in 14 areas with administrative, physical, and technical protective measures, as well as additional protective measures for public organizations.

[NAVER CLOUD's Certification Status]

The NAVER Cloud Platform IaaS underwent an audit for the administrative, physical, and technical protection measures that covered 14 criteria, among which, 117 were control items. Korea Internet and Security Agency (KISA) certified the NAVER Cloud all 217 items. System Security Checker and Web Security Checker, Security Monitoring–the NAVER Cloud SaaS–have also obtained certification the same way. We are also planning to acquire certifications for other SaaS products as well. NAVER Cloud Platform's Cloud Desktop has been verified by KISA as compliant with 110 control items, having been validated for both resource management efficiency and security of DaaS.

MTCS (Multi-Tier Cloud Security) is a standardized cloud computing multi-tier security system providing certification services developed by IDA (Infocomm Development Authority of Singapore) and ITSC (Information Technology Standards Committee).Based on the international standard such as ISO/IEC 27001, the MTCS (SS 584:2015) for Singapore is the world's first multi-tier cloud security standard guaranteeing strict observance of the following contents under control categories.

MTCS comprises three security levels; from level 1, which provides the basic security, to level 3, which has the capability and maturity to make up for or solve security threats in influential information systems used in the control target organizations with specific matters, such as confidential business data, financial records, medical records, etc.

[NAVER CLOUD's Certification Status]

NAVER Cloud Corp. is Korea's first corporation to have obtained the tightest security at the Security Level 3 certification in July 2021. Certifier MTCS strictly evaluated our company on three service categories, which are IaaS (Infrastructure as a Service), PaaS (Platform as a Service), and SaaS (Software as a Service) of NAVER Cloud Platform.

APEC CBPR certification is global personal information protection certification developed to support free and safe transfer of personal information and facilitation of electronic commerce among member countries. 9 countries, including Korea, United States, Japan, and Singapore, are included in the certification, and the certification validates the competency in transferring personal information overseas and processing it.

[NAVER Cloud's certification management status]

NAVER Cloud Corp. has acquired the first CBPR certification amongst Korean CSP companies. Based on 9 APEC privacy principles, our personal information management system's safety and reliability have been validated for paid services in NAVER Cloud Platform and MYBOX.

The Electronic Financial Supervision Regulations stipulate cloud service providers as subjects of evaluation as defined in the Cloud Computing Act. Financial companies evaluate them by dividing them into ‘basic protection measures’, which are general security standards that cloud service providers must comply with, and ‘additional protection measures for the financial sector’, which are specialized standards for the financial sector. NAVER Cloud Co., Ltd. has been verified as having a secure cloud service environment through CSAP certification, and is striving to assist in the ‘basic protection measures’ evaluation by obtaining and maintaining CSAP certification. In addition, we are actively supporting and cooperating with the evaluation of ‘additional protection measures for the financial sector’ by identifying matters necessary for financial customers to comply with laws and regulations.