Overview of the ISMS conformity assessment scheme

1. Purposes

The ISMS Conformity Assessment Scheme is an internationally consistent third party conformity assessment scheme for information security management systems. The purpose of this scheme is to contribute to enhancing overall information security in Japan, as well as to achieve and maintain confidence in the information security across the world.

2. ISMS Certification Criteria

Certification criteria in the ISMS conformity scheme are ISO/IEC 27001:2013 (JIS Q 27001:2014).
ISO/IEC 27001 was translated into Japanese and published as a Japanese national standard, JIS Q 27001.
JIS Q 27001:2006 was issued in March 2006 in line with the publication of ISO/IEC 27001:2005, and then revised and issued in March 2014 as JIS Q 27001:2014 according to the revision of ISO/IEC 27001.

3. Structure

The ISMS conformity assessment scheme has a comprehensive structure composed of "certification bodies" that assess and certify an applicant organization's ISMS based on ISO/IEC 27001, "personnel certification bodies" that certify and register ISMS auditors, and the "accreditation body" that assesses the competence of those bodies in implementing such tasks. With regard to "auditor training bodies", the personnel certification bodies carry out the assessment of those bodies and approve them based on the result of the assessment.

Background: the development of the ISMS conformity assessment scheme

In Japan there was an accreditation scheme for information processing service businesses, "Secure Information Systems Accreditation Scheme for Information-Processing Service Companies" (Notification No.342 of the Ministry of International Trade and Industry on 20 September 1980). Under this scheme accreditation was granted to information processing service companies which implement sufficient security measures for their computer systems. It therefore relatively focused on physical measures for centrally controlled information system facilities. In the meantime it became necessary to manage organizational information security more comprehensively, taking into consideration personnel security as well as technical measures. Responding to these circumstances, the elimination of the accreditation scheme as of 31 March 2001 was decided by the Ministry of Economy, Trade and Industry (METI), along with the announcement of "the introduction of international standards for information security management and the reform of the Secure Information Systems Accreditation Scheme for Information-Processing Service Companies (on 31 July 2000)".
Following this announcement, it was decided to establish a Conformity Assessment Scheme for Information Security Management Systems (ISMS Conformity Assessment Scheme) as a new scheme to reflect the needs of the time, incorporating both aspects of personnel management and technical security in a balanced manner.