An overview of ISMS Conformity Assessment Scheme in Japan
-
1. Background
2. Purposes
3. ISMS Certification Criteria
4. Structure
1. Background
In Japan there was an accreditation scheme for information processing
service businesses,
"Secure Information Systems Accreditation Scheme for
Information-Processing Service Companies" (Notification No.342 of the Ministry
of International Trade and Industry on 20 September 1980). Under this scheme
accreditation was granted to information processing service companies which
implement sufficient security measures for their computer systems.
It therefore relatively focused on physical measures for centrally
controlled information system
facilities. In the meantime it became necessary to
manage organizational information security more comprehensively, taking into
consideration personnel
security as well as technical measures.
Responding to these circumstances, the elimination of the accreditation scheme as of 31 March 2001 was decided by
the Ministry of Economy, Trade and Industry (METI), along with the announcement
of "the introduction of international standards for information security
management and the reform of the Secure Information Systems Accreditation Scheme
for Information-Processing Service Companies (on 31 July 2000)".
Following this announcement, it was decided to establish a Conformity Assessment Scheme for Information Security Management Systems (ISMS Conformity Assessment Scheme) as a new scheme to reflect the needs of the time, incorporating both aspects of personnel management and technical security in a balanced manner.
On the other hand a variety of security incidents occur due to lack of appropriate
security measures, including leakage of confidential and personal information as
well as business interruptions caused by computer viruses, unauthorized accesses and
system down time.
These circumstances have raised consciousness about information security,
and accordingly increased the need for organizations to establish
comprehensive and systematic management for information security,
which can be achieved by an approach from both perspectives of
organizational management and technical security measures.
The ISMS Conformity Assessment Scheme is an internationally consistent third party conformity assessment scheme for information security management. This scheme is intended to contribute to raising the overall level of information security in Japan and to provide confidence in the level of information security to other countries.
In the ISMS scheme, ISMS certification criteria (Ver.0.8) were firstly developed based on both the international standard ISO/IEC 17799 and BS 7799-2. The certification criteria (Ver.0.8) were issued in April 2001 for a pilot project of the ISMS scheme.
After the pilot project, ISMS certification criteria (Ver.1.0) were issued in April 2002 along with the launch of the full-scale operation of the ISMS scheme. The ISMS certification criteria (Ver.1.0) were then revised in line with the revision of BS 7799-2 and replaced by ISMS certification criteria (Ver.2.0) in April 2003. The criteria (Ver.2.0) have subsequently been used as the basis for ISMS certification under the scheme.
In October 2005, an international standard that specifies requirements for ISMS, ISO/IEC 27001:2005, was published. This standard was translated and published as a national standard JIS Q 27001:2006. Accordingly, the ISMS certification criteria (Ver.2.0) were replaced with JIS Q 27001. Certification activities based on the national standard started following the replacement.
Under the transition schedule on ISMS certification, the transition is to be completed by October 2007 (within 18months of the publication of JIS Q 27001:2006). The ISMS certification criteria (Ver.2.0) is planned to be abolished at that point.
- ISO/IEC 17799:2005 (Information technology - Code of practice for information security management) is an International standard that provides the Code (best practice) for implementing an effective ISMS to those responsible for an organizationfs information security.
- BS 7799-2:2002 (Information security management systems - Specification with guidance for use) is a British Standard used as the basis of BS 7799 certification.
- ISO/IEC 27001:2005 (Information technology - Security techniques - Information security management systems - Requirements) is an international standard that provides requirements for an organization to establish an ISMS.
The following criteria and procedures are applied in the above phase
(1) - (3) respectively.
(1) ISO/IEC 27001:2005 (JIS Q 27001:2006)
2. Purposes
Against the backdrop of a rapid spread of the Internet, activities related
to the realization of e-government are being positively promoted in our country,
such as the development of laws, technical verification, and the construction of
an information and telecommunications infrastructure.3. ISMS Certification Criteria
Criteria for the certification under the ISMS scheme (hereinafter referred to as ISMS certification criteria) provide a basis for use by third party certification bodies in assessing the conformity of organizations' ISMS that seek to achieve certification under the ISMS scheme.
4. Structure
The ISMS conformity assessment scheme has a comprehensive structure composed of "certification bodies" that assess and certify an applicant organization's ISMS based on ISO/IEC 27001, "personnel certification bodies" that certify and register ISMS auditors, and the "accreditation body" that assesses the competence of those bodies in implementing such tasks. With regard to "auditor training bodies", the personnel certification bodies carry out the assessment of those bodies and approve them based on the result of the assessment.
(2) Accreditation Criteria for ISMS
certification Bodies
(3) Procedures for Accreditation of ISMS
certification Bodies