About the secure information systems accreditation scheme for information-processing service companies

  The following is an extract from "Guidance for the secure information systems accreditation scheme for information processing service companies", called a "blue book", which is no longer valid since the abolition of the scheme.

Purpose

  The aim of the secure information systems accreditation scheme for information-processing service companies ( hereinafter referred to as "the accreditation scheme") is to promote the implementation of security measures on information systems among companies within the information processing service business, and in turn to contribute to the sound development of informatization. Under this scheme, the Minister of International Trade and Industry accredits companies taking the certain levels of security measures on information systems under the accreditation scheme.

Scope

  The scope of this accreditation scheme is intended for centers of companies that engage in information processing service business (hereinafter referred to as "companies within the information processing service business"). Information processing service business means the business involved in information processing such as data processing and information retrieval (digital only) with computers in response to demands of others. Thus it does not cover a company whose information processing services are limited by documents such as their articles of association to trading with only one particular company.

Accreditation process under the scheme

  The following is the accreditation process under the scheme:
  1. Audit on facility criteria for application
      An applicant submits specified documents to the designated audit body for the audit of its center on the basis of facility criteria, and receives a report of the audit result from the body.
  2. Application
      Where an applicant wishes several centers to be accredited for information systems security, it shall separately apply for accreditation of those centers to the bureaus of International Trade and Industry (including the Okinawa general secretariat of the Okinawa development agency) that have jurisdiction over the location of the relevant centers. The applicant shall attach to the applications the report of the audit result issued by the designated audit body and documents that indicate how it implements security measures.
  3. Assessment of operational criteria
      The bureau of International Trade and Industry conducts an assessment on operational criteria based on the application and, if necessary, an on-site assessment.
  4. Accreditation
      Following the assessment by the bureau of International Trade and Industry, the accreditation committee for information systems security of information processing service companies, which is organized by the Ministry of International Trade and Industry, deliberates compliance with the accreditation standard of the applicant's center. Where the committee ascertains its compliance, the Minister of International Trade and Industry accredits the center as one where information security measures are effectively taken. In the event of refusal, the committee informs the applicant to this effect.
  5. Issue and publication of a certificate
      When an applicant's center is accredited, a certificate is issued to the applicant and the following are published in the official gazette:
    1. The accreditation date and accreditation number
    2. Applicant's name and address, and where the applicant is a legal entity, name of representative
    3. Name and address of the relevant center
  6. Notification of changes, etc.
      An accredited organization shall notify the bureau of International Trade and Industry of changes to matters relating to criteria of the accreditation standard and mentioned in its certificate, as well as cessation of relevant business.
    1. In the event of changes to matters concerning criteria of the accreditation standard, submit a notification of the changes
        In the event of changes to matters mentioned in criteria of the accreditation standard that refer to facilities composing and related to information systems, an accredited body shall be audited on facilities by the designated audit body, and submit a report of the audit result with the notification.

    2. Changes to matters mentioned in the certificate
        In the event of changes to matters mentioned in its certificate, the accredited body shall attach the certificate to the notification of the changes, and have it modified.

    3. Cessation of business relevant to the accreditation
        Where the accredited body has ceased offering information-processing services, it shall notify the bureau of International Trade and Industry of the cessation and return its certificate to the bureau.
  7. Withdrawal of an accreditation
      Where nonconformity of an accredited center to the accreditation standard are found or when any special issue emerges in light of the purpose of the accreditation standard, its accreditation shall be withdrawn by the Minister of International Trade and Industry through deliberation of the accreditation committee for information systems security of information processing service business. The organization relevant to the accreditation within the information processing service business is informed of this withdrawal, and the withdrawn center is published. The withdrawn organization shall return the relevant certificate to the bureau of International Trade and Industry.
  8. Term of validity and extension of an accreditation
    1. An accreditation remains valid for three years from the day when accredited, and may be renewed every three years.
    2. An application for accreditation renewal shall be made to the bureau of International Trade and Industry between three to five months before the accreditation expiration date.
  9. Periodical report
      An accredited organization shall prepare and submit reports on security measures for every accredited center to the Bureau of International Trade and Industry by the end of June every year.

[Home] [Intro.]
Last modified: Wed Nov 14 11:01 JST 2007
Copyright © 2000-2010 JIPDEC All Rights Reserved.