Simplifying Korea’s ISMS-P Compliance with Open Source: MegazoneCloud’s Prowler Contribution
In this blog, we will briefly introduce how to utilize the KISA ISMS-P certification framework, contributed by MegazoneCloud, in the open-source security tool Prowler. We will also highlight the virtuous cycle created through collaboration between enterprises and the open-source community, demonstrating how open-source solutions can enhance efficiency in certification processes.
What is ISMS-P Certification?
ISMS-P (Information Security Management System & Privacy) is a certification system established under the Information and Communications Network Act and the Personal Information Protection Act in South Korea.
It combines the Information Security Management System (ISMS) and Personal Information Management System (PIMS) certifications into a unified assessment process.
By acquiring ISMS-P certification, organizations can demonstrate their compliance with the legal requirements for information security and personal information protection as mandated by these laws.
Figure 1-1. ISMS-P Basic flow of the certification procedure
This certification is managed by the Korea Internet & Security Agency (KISA) and the Financial Security Institute (FSI) of Korea. Independent audit bodies evaluate whether the certification criteria are met before granting the certification.
The primary purpose of the ISMS-P certification is to help organizations enhance service reliability, respond effectively to complex cyber threats, and comply with legal requirements. In particular, it is a mandatory certification for information and communications service providers exceeding a certain scale, as explicitly required by Article 32-2 of the Personal Information Protection Act (Certification of Personal Information Protection).
Figure 1-2. Certification system (References and More Details : PIPC (Personal Information Protection Commission), ISMS-P Certification Overview)
Practical Challenges of Obtaining ISMS-P Certification
1. Increasing Complexity and Changes in Certification Standards Due to Cloud Adoption
As organizations accelerate the adoption of cloud environments, certification standards such as ISMS-P are becoming increasingly complex.
Unlike traditional on-premises security systems, cloud environments introduce distributed data and virtualized resources, leading to more diverse and granular security requirements.
For larger organizations or those with critical services, the rise of multi-cloud and hybrid cloud configurations adds another layer of complexity. Companies must understand the unique characteristics of each cloud service while simultaneously ensuring compliance with cloud security regulations, creating a dual challenge.
2. Limited Budgets and Resources
The costs associated with preparing for or maintaining certification can pose significant challenges, particularly for smaller organizations.
In addition, the technical expertise and tools needed to meet the certification’s stringent requirements are not always readily available or standardized, further complicating the process.
3. The Burden of Continuous Maintenance
ISMS-P certification is not a one-time effort; it requires ongoing management and maintenance. Frequent updates to compliance standards, the need to adjust management systems accordingly, and the preparation for annual audits impose significant time and financial burdens on organizations.
Where to Begin with ISMS-P Compliance in Cloud Environments
1. The Background and Role of Cloud Security and Compliance Tools
To address the practical challenges mentioned above, the government has introduced the “「Simplified Certification for Information Security and Personal Information Protection Management Systems」” program. This initiative aims to reduce the certification burden on organizations.
However, its scope is limited to specific organizations and environments, making it inadequate to meet the complex and rapidly evolving compliance requirements of diverse cloud infrastructures.
To address these challenges, organizations are often compelled to invest significant time and resources into adopting commercial solutions, hiring security professionals, conducting training, and building internal processes to achieve and maintain compliance.
In this context, cloud security assessment tools and open-source solutions have become vital alternatives, offering enhanced efficiency and cost-effectiveness in the certification preparation process.
2. The Emergence and Importance of CSPM (Cloud Security Posture Management)
The rapid adoption of cloud infrastructure has introduced new security and compliance challenges, creating the need for innovative tools like Cloud Security Posture Management (CSPM).
CSPM refers to solutions specifically designed to continuously assess and manage the security posture of cloud environments. These tools focus on preventing security risks and ensuring compliance with regulatory requirements by providing real-time visibility and control over cloud configurations.
A key strength of CSPM tools lies in their ability to detect and automatically remediate security vulnerabilities caused by misconfigurations—one of the most common causes of security incidents in cloud environments.
Moreover, CSPM solutions are tailored to efficiently address the complex and dynamic security requirements of modern cloud ecosystems. They are particularly well-suited for organizations that need to perform compliance checks and adhere to rigorous standards such as ISMS-P, helping reduce the risk of regulatory violations while streamlining security operations.
3. Global CSPM Open Source: Focused on Prowler!
Figure 1-3. Positioning of Key Open Source CSPM Tools
Open-source CSPM tools are considered an effective alternative to commercial solutions due to their lower cost and high customizability.
Among them, Prowler stands out as a top-tier tool in terms of functionality and community engagement. It supports security assessments and compliance across major cloud environments such as AWS, Azure, GCP, and Kubernetes, offering robust features comparable to those of commercial solutions.
Notably, Prowler has earned over 10,900 stars on GitHub, reflecting its strong recognition and trust within the community.
This achievement positions Prowler not just as a widely used tool but as a standard in the CSPM domain within the global open-source community.
| Project Name |
GitHub Stars | Contributors | Last Commit Date | Supported Platforms | Supported Compliance Frameworks | Key Features |
| Prowler-cloud | 10.9k | 259 | 2024-11-20 | AWS, Azure, Google Cloud, Kubernetes | KISA-ISMS-P,CIS, NIST 800-53, PCI-DSS, GDPR,FedRAMP,FFIEC,GXP,HIPAA, ISO 27001, SOC2, AWS Well-Architected Framework, ENS and more | Cloud security detection and assessment, asset identification, compliance checks, incident response support, hardening and forensic readiness, reporting, AWS Security Hub integration |
| CloudSpliot | 3.4k | 50 | 2024-11-27 | AWS, Azure, GCP | CIS,HIPAA,PCI-DSS | Cloud threat detection, compliance checks |
| Fix Inventory | 1.6k | 20 | 2024-11-26 | AWS, GCP, Azure | None | Cloud threat detection, asset identification asset identification |
| ZeusCloud | 697 | 20 | 2024-10-26 | AWS | CIS,PCI-DSS | Cloud threat detection |
| OpenCSPM | 336 | 5 | 2022-02-18 | AWS, GCP | User-defined compliance checks | Cloud security posture management |
Prowler is an open-source security tool designed for evaluating security best practices, auditing, incident response, continuous monitoring, hardening, forensic readiness, and remediation across environments such as AWS, Azure, Google Cloud, and Kubernetes. It is available in two formats.
- Prowler (Git Community Version)
This version is used via the Command Line Interface (CLI) and requires users to install and operate it manually. It is free of charge and continually improved through contributions from the community. - Prowler SaaS (Enterprise Commercial Service)
Based on the open-source version of Prowler, this subscription-based service provides additional features and convenience tailored for enterprise users. It offers enhanced functionality and support, making it more accessible and feature-rich for organizations.
| Item | Prowler(Community Version) | Prowler SaaS(Enterprise) |
| Installation & Management | User-managed installation, CLI-based | Cloud-based with a web interface, no installation required |
| Supported Cloud Environment | AWS, Azure, Google Cloud, Kubernetes (same coverage) | AWS, Azure, Google Cloud, Kubernetes (same coverage) |
| Feature Scope | Basic Security Assessment, Compliance Checks, and Report Generatio | Advanced dashboards, real-time alerts, and automated remediation |
| Reporting Format | CSV,JSON,HTML,OCSF | Easy access and management through a web-based interface |
| Suppport | Community-supported | Enterprise-supported |
| Ease of Use | Assessment and Result Verification via Command Line | User-friendly web interface for simple management |
| Automation Level | Limited automation (manual user configuration needed) | Advanced automation (includes auto-remediation and alerts) |
| Cost | Free | Pay per use |
4. Creating KISA-ISMS-P Compliance: From Concept to Integration
4.1 Why We Developed KISA-ISMS-P Compliance for Prowler
As the demand for ISMS-P continues to grow steadily in Korea, we provided both English and Korean versions of ISMS-P compliance for Prowler. This was done to enable Korean users to easily evaluate and utilize ISMS-P regulations through Prowler.
This initiative represents the first step in spreading awareness of Korea’s ISMS-P regulations while effectively supporting key compliance requirements in Korea by leveraging a global open-source tool.
4.2 Steps to Integrate KISA-ISMS-P Compliance
4.2.1 Data Preparation
Our team has been developing a universal cloud security dataset that addresses various compliance frameworks. This dataset is based on major cloud security regulatory requirements, including KISA’s ISMS-P, and is enriched by our team’s cloud security knowledge base.
For this Prowler KISA-ISMS-P compliance contribution project, we utilized this dataset to train a generative AI model. The model was then used to generate initial mapping data between Prowler’s Checks list items and the detailed requirements of ISMS-P.
The initial mapping data underwent iterative reviews and improvements by our team of experts, eventually culminating in a finalized KISA-ISMS-P compliance set that can now be used within Prowler.
4.2.2 Detailed Analysis of Prowler
– Analysis of CLI Command Flows
CLI commands serve as the primary mechanism controlling the main logic of Prowler. Therefore, it was necessary to clearly define the command paths and their operations to create KISA-ISMS-P compliance.
Subsequently, we analyzed the execution flows of each command to trace how they interacted with key modules such as Checks logic, compliance loading, and output generation.
– Analysis and Transformation of Checks
The analysis of Checks logic involved understanding the entire workflow, from defining individual Checks to execution flow, component management, and result processing. We also prepared the data by converting it into our team’s dataset format through a dedicated ETL (Extract, Transform, Load) process for effective utilization. Finally, we examined how the results of Checks execution were stored, how the data flowed to the output logic, and how it was processed into the desired output format.
– Compliance Design
In the compliance directory, we reviewed the existing compliance JSON files to identify the necessary information. Based on this review, we defined and designed the components required for developing KISA-ISMS-P compliance.
4.2.3 AI-Based Initial Data Mapping
Using a fine-tuned generative AI model, we extracted and refined Prowler’s Checks list from the previous stage and mapped them to KISA’s ISMS-P requirements to generate the initial data.
This initial data underwent a first-round review to evaluate its suitability, during which we assessed for missing items and over-mapped cases.
4.2.4 Expert Review and Refinement
Following the first review, our team and relevant experts conducted an in-depth examination of the mapping accuracy between ISMS-P requirements and Prowler’s Checks items. Based on their feedback, we adjusted the mapped items to enhance their alignment.
4.2.5 Integration into Prowler Code
Using the finalized and improved mapping data, we developed the integration code to process the KISA-ISMS-P compliance within Prowler.
A Pull Request (PR) was created and submitted for review and approval by Prowler’s maintainers to merge the code into the main branch.
4.3 Contributions
For this Prowler KISA-ISMS-P compliance contribution, we added or modified a total of 12 files, resulting in 9,097 lines of code added.
The changes include various files, such as both English and Korean versions of the KISA-ISMS-P compliance.
– Dashboard Files:
`dashboard/compliance/kisa_isms-p_2023-korean_aws.py`
`dashboard/compliance/kisa_isms-p_2023_aws.py`
– Compliance Files:
`prowler/compliance/aws/kisa_isms-p_2023-korean_aws.json`
`prowler/compliance/aws/kisa_isms-p_2023_aws.json`
– Output and Model Files:
`prowler/lib/outputs/compliance/kisa_ismsp/init.py`
`prowler/lib/outputs/compliance/kisa_ismsp/kisa_ismsp.py`
`prowler/lib/outputs/compliance/kisa_ismsp/kisa_ismsp_aws.py`
`prowler/lib/outputs/compliance/kisa_ismsp/models.py`
5. Getting Started with KISA-ISMS-P Compliance in Prowler
5.1 Preparing the Installation Environment
Before installing Prowler, it is recommended to create a Python virtual environment to establish an isolated development environment. This allows you to safely install and manage Prowler and its related packages without affecting the system.
5.1.1 Checking Python: Ensure that Python is installed on your system.
As of now, it is recommended to use Python versions 3.9 or higher, but below 3.13.
bash) python3 –version
5.1.2 Verify Git Installation: Ensure that the Git CLI is installed on your system.
bash) git version
5.1.3 Create and Navigate to the Project Directory: Create a dedicated directory for installing Prowler, and navigate to it.bash) mkdir xxx-prowler
bash) cd xxx-prowler
5.1.4 Create and Activate a Python Virtual Environment: Use the venv module to create a virtual environment and activate it.
bash) python3 -m venv prowler-venv
bash) source ./prowler-venv/bin/activate
5.1.5 Update PIP: Update the Python package manager (pip) to the latest version to prevent any package installation errors.
bash) pip install –upgrade pip
5.1.6 Install Poetry: If Poetry is not already installed, use the following command to install it.
bash) curl -sSL https://install.python-poetry.org | python3 –
5.2 Installing and Running Prowler
Prowler offers multiple installation methods. In this blog, we will focus on cloning the source code directly from Prowler’s official GitHub repository. This approach provides the advantage of accessing the latest development version and utilizing customization options.
5.2.1 Clone the Prowler GitHub Repository and Grant Execution Permissions: Download the open-source code for Prowler from GitHub, navigate to the corresponding directory, and grant execution permissions for the necessary files.
5.2.2 Install Dependencies with Poetry: Use Poetry to install all the required dependencies needed to run Prowler.
bash) poetry install
5.2.3 Verify Prowler Installation: Check the installation by displaying the version of Prowler and confirming that the list of available compliance checks includes KISA-ISMS-P.
bash) python prowler.py -v
bash) python prowler.py –list-compliance
5.3 Preparing the Target Cloud Environment for Prowler Assessment
5.3.1 Install and Configure AWS CLI
To perform assessments in AWS cloud environments, Prowler requires authentication and permissions to be set up using the AWS CLI.
5.3.2 Verify AWS CLI Installation
Check if the AWS CLI is already installed. If it is not installed, use the following command to install it.
bash) aws –version
bash) brew install awscli
5.3.3 Configure AWS CLI
Configure the AWS access key, secret key, region, and output format.
bash) aws configure
Access Key ID: The key issued via the AWS IAM console.
Secret Access Key: The secret value associated with the access key.
Default region: For example, ap-northeast-2 (Seoul region).
Default output format: json(Recommended)
5.4 Conducting Assessments and Reviewing Results
5.4.1 Execute Compliance Assessments
The following example demonstrates how to execute an assessment using the KISA-ISMS-P compliance version published in November 2023. To use the English version, remove the “_korean” portion from the command before executing it.
bash) python prowler.py –compliance kisa_isms_p_2023_korean_aws –region ap-northeast-2
5.4.2 Review Assessment Results
Once the assessment is successfully completed, the terminal will display the path to the result files, as shown below.
Navigate to the specified path to review the assessment results. The result files are located in the compliance directory, as illustrated in the example. Additionally, the output is available not only in CSV Format but also in various other formats to suit your needs.
You can open the CSV file to review detailed results as shown below
5.4.3 Viewing Assessment Results in the Dashboard
Run the dashboard from the terminal to view the assessment results.
bash) prowler dashboard
When you run the dashboard command, a URL such as http://127.0.0.1:11666 will be displayed.
Access this URL in your browser to view the assessment results, as shown below.
– Overview: Summary of the overall assessment results.
– Compliance: Assessment results categorized by each compliance framework.
Leveraging Compliance for Enhanced Cloud Security and Efficiency
Utilizing Prowler as an Automation Tool for ISMS-P Compliance
- Automatically assess compliance status using Prowler KISA-ISMS-P Compliance.
- Export assessment results in JSON or CSV formats for use in internal reporting and audit documentation.
- Maintain continuous compliance through regular assessment processes.
- Improve cloud resource security by addressing vulnerabilities identified in Prowler’s assessment results.
- Facilitate internal learning and sharing of practical security controls mapped to ISMS-P requirements within teams.
A Virtuous Cycle Between Enterprises and Open Source: Technology, Collaboration, and Sustainability
The Prowler community responded positively to MegazoneCloud’s contribution of the KISA-ISMS-P Compliance, providing high-quality feedback during the Pull Request (PR) approval process.
Furthermore, this collaboration has laid the foundation for continued contributions from MegazoneCloud and opened the door for future business partnerships, including further discussions with Toni de la Fuente, CEO of Prowler.
References
- KISA: https://www.kisa.or.kr/EN/103
- PIPC: https://www.pipc.go.kr/eng/index.do
- Pull Request: https://github.com/prowler-cloud/prowler/pull/5086
- Prowler Docs: https://docs.prowler.com/projects/prowler-open-source/en/latest/
- Excerpt from Prowler Release Notes: Sections related to KISA-ISMS-P
Project Contributors
- Jude Bae (PM)
- Email: jude@megazone.com
Role: As the project manager, Jude led the overall planning and development, managed team coordination, oversaw PR workflows, and facilitated communication with the community.
- Email: jude@megazone.com
- ES Kim (PL)
- Email: es.kim@megazone.com
- Role: As the project leader and a security compliance expert, ES defined ISMS-P requirements, reviewed and validated the suitability of the Checks list, and played a pivotal role in ensuring the precision and effectiveness of ISMS-P compliance standards.
- Yenn
- Email: yenn@megazone.com
- Role: A member of the Cloud Security Team, Yenn supported code development and handled research and implementation of technical requirements related to ISMS-P..
MegazoneCloud, CTC(Cloud Technology Center)