An overview of ISMS Conformity Assessment Scheme in Japan

1. Background

  In Japan there was an accreditation scheme for information processing service businesses, "Secure Information Systems Accreditation Scheme for Information-Processing Service Companies" (Notification No.342 of the Ministry of International Trade and Industry on 20 September 1980). Under this scheme accreditation was granted to information processing service companies which implement sufficient security measures for their computer systems. It therefore relatively focused on physical measures for centrally controlled  information system facilities. In the meantime it became necessary to manage organizational information security more comprehensively, taking into consideration personnel security as well as technical measures. Responding to these circumstances, the elimination of  the accreditation scheme as of 31 March 2001 was decided by the Ministry of Economy, Trade and Industry (METI), along with the announcement of "the introduction of international standards for information security management and the reform of the Secure Information Systems Accreditation Scheme for Information-Processing Service Companies (on 31 July 2000)".

  Following this announcement, it was decided to establish a Conformity Assessment Scheme for Information Security Management Systems (ISMS Conformity Assessment Scheme) as a new scheme to reflect the needs of the time, incorporating both aspects of personnel management and technical security in a balanced manner.

2. Purposes

  Against the backdrop of a rapid spread of the Internet, activities related to the realization of e-government are being positively promoted in our country, such as the development of laws, technical verification, and the construction of an information and telecommunications infrastructure.

  On the other hand a variety of security incidents occur due to lack of appropriate security measures, including leakage of confidential and personal information as well as business interruptions caused by computer viruses, unauthorized accesses and system down time.

  These circumstances have raised consciousness about information security, and accordingly increased the need for organizations to establish comprehensive and systematic management for information security, which can be achieved by an approach from both perspectives of organizational management and technical security measures.

  The ISMS Conformity Assessment Scheme is an internationally consistent third party conformity assessment scheme for information security management. This scheme is intended to contribute to raising the overall level of information security in Japan and to provide confidence in the level of information security to other countries.

3. ISMS Certification Criteria

  Criteria for the certification under the ISMS scheme (hereinafter referred to as ISMS certification criteria) provide a basis for use by third party certification bodies in assessing the conformity of organizations' ISMS that seek to achieve certification under the ISMS scheme.

  In the ISMS scheme, ISMS certification criteria (Ver.0.8) were firstly developed based on both the international standard ISO/IEC 17799 and BS 7799-2. The certification criteria (Ver.0.8) were issued in April 2001 for a pilot project of the ISMS scheme. After the pilot project, ISMS certification criteria (Ver.1.0) were issued in April 2002 along with the launch of the full-scale operation of the ISMS scheme. The ISMS certification criteria (Ver.1.0) were then revised in line with the revision of BS 7799-2 and replaced by ISMS certification criteria (Ver.2.0) in April 2003. The criteria (Ver.2.0) have subsequently been used as the basis for ISMS certification under the scheme.

  In October 2005, an international standard that specifies requirements for ISMS, ISO/IEC 27001:2005, was published. This standard was translated and published as a national standard JIS Q 27001:2006. Accordingly, the ISMS certification criteria (Ver.2.0) were replaced with JIS Q 27001. Certification activities based on the national standard started following the replacement.

  Under the transition schedule on ISMS certification, the transition is to be completed by October 2007 (within 18months of the publication of JIS Q 27001:2006). The ISMS certification criteria (Ver.2.0) is planned to be abolished at that point.

- ISO/IEC 17799:2005 (Information technology - Code of practice for information security management) is an International standard that provides the Code (best practice) for implementing an effective ISMS to those responsible for an organizationfs information security.

- BS 7799-2:2002 (Information security management systems - Specification with guidance for use) is a British Standard used as the basis of BS 7799 certification.

- ISO/IEC 27001:2005 (Information technology - Security techniques - Information security management systems - Requirements) is an international standard that provides requirements for an organization to establish an ISMS.

4. Structure

  The ISMS conformity assessment scheme has a comprehensive structure composed of "certification bodies" that assess and certify an applicant organization's ISMS based on ISO/IEC 27001, "personnel certification bodies" that certify and register ISMS auditors, and the "accreditation body" that assesses the competence of those bodies in implementing such tasks. With regard to "auditor training bodies", the personnel certification bodies carry out the assessment of those bodies and approve them based on the result of the assessment.

  The following criteria and procedures are applied in the above phase (1) - (3) respectively.

(1) ISO/IEC 27001:2005 (JIS Q 27001:2006)
(2) Accreditation Criteria for ISMS certification Bodies
(3) Procedures for Accreditation of ISMS certification Bodies

Last modified: Thu May 20 11:46 JST 2010
Copyright © 2000-2016 JIPDEC All Rights Reserved.