• Inquiry
  • +81-3-6425-6735
    (Business hours 9:00 am - 6:00 pm)

ISMAPISMAP Certification Consultation Service


MASON's Strengths

Top level performance for customers in the information systems industry

MASON's extensive security knowledge and in-depth knowledge of the information systems industry allows us to build a management system that is tailored to the client's actual situation.

Assistance by security consultants and auditors from major companies

Our consultants have extensive experience in security consulting and auditing for the information systems and manufacturing industries.

Consulting services to minimize the customers' man-hours.

MASON’s customers voiced out their concern regarding the number of man-hours. MASON guarantees the customers that they will be ISMAP certified with minimal man-hours.

What is ISMAP?


ISMAP is a system designed to facilitate the introduction of cloud services by pre-evaluating and registering cloud services that meet the security requirements of the government. The Japanese name of ISMAP is "Security Assessment Program for Government Information Systems. ISMAP is an abbreviation of "Information system Security Management and Assessment Program" in English translation.

Need to register for ISMAP Cloud Service List

ISMAP is managed by the Cabinet Cyber Security Center, the Digital Agency, the Ministry of Internal Affairs and Communications, and the Ministry of Economy, Trade and Industry, and is administered by an organization called the ISMAP Steering Committee. Cloud service providers (CSPs) request audits from audit organizations registered in the ISMAP audit organization list, and are audited on the status of implementation of information security measures based on the management standards in accordance with the audit standards, etc. The ISMAP Steering Committee receives applications from audited CSPs and conducts audits on the status of compliance with the requirements for cloud service registration applicants, and determines whether the registration is valid or not. The ISMAP Steering Committee will then register the cloud services that it deems appropriate for registration on the ISMAP Cloud Service List. In order for government agencies to use cloud services in the future, it will be mandatory for them to be registered with ISMAP. ISMAP registration will become necessary as the shift of government to the cloud is expected to become the domestic standard in the future. In addition, we cannot ignore the fact that many local governments and private companies have been concerned about cloud services security. From the perspective of the security level indicated by the government, ISMAP is likely to be used for security checks, and demand from local governments and private companies is expected to be on the rise.

Benefits of ISMAP Registration

1. Meeting the Needs of the Domestic Cloud Market

ISMAP is expected to become the standard for selecting cloud services not only for information system procurement by government agencies, but also by many local governments and private companies. Based on the societal shift toward the use of cloud computing, ISMAP can respond to the needs of the domestic cloud market, which is expected to expand in the future.

2. Increased credibility with stakeholders

ISMAP registration provides a competitive advantage in proving security levels; ISMAP vetted and registered cloud services are more credible in terms of government endorsement, as well as increased visibility and reputation.

3. Strengthening the company's brand power

The trustworthiness, brand power, and image of the company will certainly be enhanced. Compliance with ISMAP requirements, the government's security standard for cloud services, will prove to the company’s customers that the company is fully committed to the enhancement of information security. ISMAP registration is an essential tool for differentiating your company from competitors in the cloud services business, which is expected to accelerate in the future.

ISMAP Management Criteria

The ISMAP management standards are based on JIS Q (ISO/IEC) 27001, 27002, and 27017, which are applied for ISMS cloud security certification. In addition, they are structured by referring to the NIST standard SP800-53 and complying with the requirements that are lacking to meet the government's uniform standards.

The management standards consist of "Governance Standards," "Management Standards," and "Control Standards," which are required to be addressed by "management," "managers," and "practitioners," respectively. The most distinctive feature is the "Management Criteria," which has more than 1,000 items. The "Control Criteria" are questions that outline the rules and management systems that must be met in order to achieve ISMAP registration. The number of questions in the Governance Criteria is 18, the Management Criteria 85, and the Control Criteria 1,095, indicating that the number of questions in the Control Criteria is very large.

Therefore, CSPs are expected to spend a great deal of time in dealing with them. This service provides CSPs considering applying for registration on the ISMAP Cloud Services List with our extensive security knowledge and in-depth knowledge of the information systems industry to help them achieve ISMAP registration.

In ISMAP, three-digit control measures are called "control objectives" to be achieved, and four-digit control measures are called "detailed control measures" as specific means to achieve the control objectives.

ISMAP Registration Support Flow

1. Consideration of target services
  1. Determination of target services
  2. Confirmation of internal controls
  3. Preparation of schedule
2. Policy-making planning
  • Determination of basic policy for initiatives
3. Risk Assessment
  1. Identification of information assets
  2. Risk analysis
  3. Risk response plan development
  4. Approval of residual risk
4. Basic Requirements Analysis
  1. Selection of control objectives corresponding to risks
  2. Selection of 4-digit control measures for control objectives
  3. Design of individual control measures
5. Document Preparation/Revision
  • Preparation of regulations/revision of existing regulations
6. Implementation of measures
  • Implementation and implementation of individual control measures
7. Employee Training
  • Employee Training
8. Internal Audit Implementation
  1. Planning internal audits
  2. Conducting internal audits
  3. Documenting internal audit results
9. Determination of audit organization / execution of contract
  1. Selection of audit organization and request for audit
  2. Conclusion of contract with audit organization
10. External Audits
  • Audited by an auditing organization
11. Application for service registration to IPA: Prepare application form and apply for service registration to IPA.

MASON provides services tailored to the customers' needs. Please contact us.

MASON Consulting, Co., Ltd.

10th Floor Shiba Daimon Center Bldg.,
1-10-11 Shiba Daimon, Minato-ku, Tokyo

Location Map

MASON has acquired ISO27001 certification.

MASON is committed to implementing security measures in accordance with the Guidelines for Information Security Measures for Small and Medium Enterprises.