FlareLane
Log in Contact sales
  • ISMS-P
  • data security
  • CRM security

ISMS-P Certified: FlareLane's CRM Data Security in Korea

CRM marketing handles user personal data. FlareLane holds ISMS-P, the Korean certification that audits how that data is protected.

FlareLane Team 6 min read
Thumbnail representing CRM marketing data security verified by ISMS-P certification

CRM marketing handles user personal data. Names and phone numbers, emails, purchase history, behavior inside the app, all of it. When you choose a solution, security comes first.

Every solution says it manages data securely. What counts is whether an outside body checked that claim against a fixed standard. In Korea, that standard is ISMS-P. FlareLane holds it.

What ISMS-P is, and why it carries weight in Korea

ISMS-P is run by the Korea Internet & Security Agency (KISA) under the Personal Information Protection Act and the Network Act. Two certifications sit underneath it. ISMS2 covers information security. ISMS-P adds personal information protection, the P, on top. CRM marketing runs on personal data, so the standard that fits it is the one with the P.

CertificationWhat it auditsPersonal data
ISMSManagement system, protection measuresNot covered
ISMS-PManagement system, protection measures, personal-data lifecycleCovered

In Korea this is not a nice-to-have. The country enforces some of the strictest privacy law anywhere, and a KISA certificate is the recognized proof that personal data is handled to a national standard. To a Korean partner or a security review, ISMS-P says in one line that an outside auditor checked your controls.

ISMS-P splits into three areas: how you build and run the management system, what protection measures guard your systems and data, and how you handle personal data from collection to disposal. The first two areas are the scope of ISMS; the third, the personal-data lifecycle, is what makes it ISMS-P. Together they come to 101 controls. FlareLane passed that audit, the first in Korea's CRM marketing industry to clear it.3

Across Korean customer-messaging and CRM marketing solutions, plenty hold no security certification at all. Many that do stop at ISMS, which covers security only, or at CSAP, the cloud security certification for public procurement. Fewer still hold ISMS-P, which puts the full handling of personal data through outside review.

Here is how disclosed security certifications line up by solution.

SolutionDisclosed security certificationISMS-P
FlareLaneISMS-PYes
Ch**ISMSNo
Br***ISO 27001 (overseas)No

The table reflects each solution's publicly disclosed certifications; ISMS-P status is verifiable in KISA's certificate records (as of June 2026).

The controls below are the ones you meet most directly when you put user data into a CRM. They are also the parts a KISA auditor checked before granting FlareLane the certificate.

Data collection, storage, and disposal

Of the three areas, the lifecycle-stage privacy requirements check every step from collection to disposal: on what basis data was collected, whether it is used for its stated purpose while held, and whether it is deleted once it is no longer needed.

Load a user list into a CRM and these criteria apply. Outside review checks whether the data was collected with consent and whether data past its retention period gets cleared out.

This is the part closest to a marketer's day. Consent and disposal get checked most often in routine work, and they are the first things examined when something goes wrong. FlareLane drops users who opt out from your send list automatically, so once someone withdraws consent, messages stop reaching them.

Permissions and access control

The protection-measures area covers the technical safeguards: who gets which permissions, how access is controlled, and how data is encrypted. You can't earn ISMS-P certification without passing these controls.

FlareLane assigns each member a role. What a role can see and do is set per role, and permissions like viewing sensitive real-name data or downloading a CSV are granted separately. It follows least privilege4: open only what the work needs.

User list with name, phone number, and user ID partially masked
FlareLane console, masked user information

So when you view user information in the console, real-name fields like name, phone number, email, and birthdate are partially hidden. How much is hidden depends on the role, and only members with permission see the original values. It is the most practical way to cut down on personal data moving around internally for no reason.

IP access control

Access location can be restricted too. Register the IPs allowed into the console per project, and anything outside that list is blocked. It keeps the console reachable only from set places like an office or company network.

Two-factor authentication

Login gets one more step. An ID and password alone aren't enough, so console login asks for an OTP as well. If a password leaks, the account doesn't open on it alone.

Project settings page for checking each member's two-factor authentication status
FlareLane console, per-member 2FA status

Activity logs and incident response

Some protection-measure controls assume incidents happen. ISMS-P doesn't claim every incident can be prevented. It checks whether you can spot anomalies and how you respond when one occurs.

FlareLane logs the main actions taken in the console. Who viewed, edited, or deleted user data, downloaded a CSV, or sent a message, recorded with the member, time, and source. When something goes wrong, that record is where you start narrowing down the cause.

When requests spike abnormally, per-project limits step in to protect the system. A CRM pools a lot of user data in one place, so how fast you catch a problem and contain it decides how far the damage goes. ISMS-P reviews that response procedure against an outside standard too.

Penetration testing and vulnerability checks

ISMS-P's protection measures include a separate control for vulnerability checks.5 It calls for checking the system for weaknesses on a regular schedule and fixing whatever turns up. Past a certain company size and data sensitivity, it also calls for penetration testing.

Penetration testing means attacking the system the way an outside attacker would. Testers go straight at the exposed parts, like login, payments, and APIs, to find weaknesses that could actually be exploited. Public-facing services get retested on a schedule.

FlareLane went through this penetration test during certification. After fixing what the test surfaced, it passed the audit.

When you pick a CRM solution

Users grow more sensitive to how their data is handled, and in Korea that sensitivity is backed by law. So when you decide whose solution that data lives in, the standard it meets is part of the decision.

When you compare solutions, go past whether a certificate exists. Check whether it is ISMS or ISMS-P, and watch how its controls behave in the console. See whether role separation, IP access control, two-factor auth, and activity logs live only in a description or actually run on screen.

Write down the data you handle today and your internal security requirements, and that check goes faster. You can request a security requirements review below.

Want to compare solutions against ISMS-P?

Tell us the data you handle, and we'll map out which security controls matter and what to check first.

Contact us

Footnotes

¹ ISMS-P: Korea's Information Security and Personal Information Protection Management System certification. The Korea Internet & Security Agency (KISA) audits 101 controls across three areas, management system operation, protection measures, and lifecycle-stage privacy requirements, before granting it. FlareLane is certified as ISMS-P-KISA-2026-021, and the certification can be verified in KISA's published issuance records.

² ISMS: Information Security Management System certification. It audits the security side, management system and protection measures, that guards information assets. Add the lifecycle-stage personal-data requirements and it becomes ISMS-P.

³ Industry first: FlareLane (FlareLabs) is the first CRM marketing solution in Korea to earn ISMS-P, as reported by beSUCCESS and elec4 on June 10, 2026.

⁴ Least privilege: granting each member only the data access their work strictly requires. It maps to ISMS-P's authentication, authorization, and access-control measures.

⁵ Penetration testing: a check that attacks the system using an outside attacker's methods to find weaknesses that could actually be exploited. It maps to ISMS-P's vulnerability check and remediation control (2.11.2).

References

1. Korea Internet & Security Agency (KISA), Information Security and Personal Information Protection Management System (ISMS-P). https://www.kisa.or.kr/1050602

2. Korea Internet & Security Agency (KISA), ISMS-P certificate issuance records. https://isms.kisa.or.kr/main/ispims/issue/?certificationMode=list

3. beSUCCESS, FlareLabs' FlareLane earns the CRM marketing industry's first ISMS-P certification (in Korean). https://besuccess.com/?p=183725

4. elec4, CRM solution FlareLane strengthens its security framework with ISMS-P (in Korean). https://elec4.co.kr/contents/article_detail?article_idx=37141

5. Personal Information Protection Commission, ISMS-P certification criteria. https://www.privacy.go.kr/front/contents/cntntsView.do?contsNo=59

6. Venture Square, Channel Talk earns Information Security Management System (ISMS) certification (Aug 21, 2023; in Korean). https://www.venturesquare.net/893067

7. Braze, Security Qualifications. https://www.braze.com/docs/en/developer_guide/disclosures/security_qualifications

FlareLane

FlareLane

Contents Team, FlareLane (FlareLabs, Inc.)

Written by people who've actually run CRM marketing and growth, not just written about it.

FlareLane is a CRM marketing solution that automatically delivers push, SMS, KakaoTalk, and in-app/in-web messages aligned with each customer's behavior and journey. From startups to enterprises, we help everyone design and run hyper-personalized marketing and customer journey automation with ease.

Frequently asked questions

What's the difference between ISMS and ISMS-P?

ISMS certifies an information security management system. ISMS-P adds personal information protection, the P, on top: it also audits how personal data is handled from collection through disposal. CRM marketing runs on personal data like names, phone numbers, and purchase history, so ISMS-P, which covers the personal-data side, is the better-fit standard. FlareLane holds the ISMS-P certification.

Will masking and permissions get in the way of personalization or sending?

No. Masking applies only to what shows on the console screen - it is a display-layer control. Message sending and personalization run on the original data, so name personalization and segment sends work as usual. A member seeing less real-name data on screen doesn't change how the system builds a message.

Can we require two-factor authentication for the whole team?

Yes. FlareLane can enforce two-factor authentication for every member at the project level. The per-member status view in the console shows at a glance who hasn't set it up yet, so you can prompt or require it. It holds the whole team to the same account-security bar instead of leaning on passwords alone.

Once granted, is ISMS-P certification valid forever?

No. ISMS-P certification is valid for three years. After it is granted, it takes an annual surveillance audit and a renewal audit every three years to stay in force. So a live certification means the program is run and reviewed continuously, not that it passed once. When you check a solution, look at the certification date and renewal history too.

If a solution holds ISMS-P, does that cover our own privacy obligations?

Not on its own. A solution's ISMS-P certification means the system that builds and runs it meets the criteria. As the company collecting the data, you still carry your own duties - proper consent, a data-processing agreement, a privacy policy. A certified solution gives you a solid base, but it doesn't take your own responsibility off your plate.