Information System Security Management and Assessment Program (ISMAP)
Information System Security Management and Assessment Program (ISMAP) is a Japanese government program for assessing the security of public cloud services. The aim of ISMAP is to enable a common set of security standards for the Cloud Service Provider (CSP) to comply as baseline requirements for government procurement. ISMAP introduces security requirements for the cloud domains, practices, and procedures that cloud service providers must implement. Cloud service providers must engage with a ISMAP approved third party assessor to assess compliance with the ISMAP security requirements in order to apply as a ISMAP registered provider. The ISMAP program will evaluate the security of cloud service provider, and register those who satisfy the Japanese government’s security requirements. Upon successful ISMAP registration as a registered providers, government procurement departments can accelerate their engagement with the registered providers.
AWS enables service providers and customers on AWS to create ISMAP-compliant environment.
What is ISMAP?
ISMAP stands for “Information System Security Management and Assessment Program”. ISMAP is a Japanese government security assessment system which aims to ensure an appropriate security level in government cloud service procurement by proactively evaluating and registering cloud services that meet government security requirements. This is expected to help contribute to the smooth introduction of cloud services in Japan’s public sector.
Why is ISMAP being implemented?
ISMAP provides a unified security requirement standard for assessing cloud service providers. When purchasing cloud services, it was previously necessary for central government agencies to individually perform due-diligence on the security measures implemented by the CSPs. With the introduction of the ISMAP program, central government agencies will be able to procure cloud services registered under this program, more quickly due to the elimination of the need to perform individual due-diligence.
Who can be ISMAP certified?
Cloud service providers who provide their services to central government can be assessed and certified by ISMAP. However, it is expected that the scope of coverage will be expanded and the system will be used by the private sector in the future.
Is AWS ISMAP certified?
As of January 2021, AWS has finished the third party audit and is applying for ISMAP.
Which AWS services and regions are in-scope of ISMAP?
As of January 2021, ap-northeast-1 (Tokyo) and ap-northeast-3 (Osaka local region) is applying for ISMAP for services that are in-scope for ISO/IEC 27001 and 27017 under Amazon Web Services.
Does AWS provide solutions to help with ISMAP certification?
AWS will make available necessary information and procedures to support customers in implementing security for their functions to meet ISMAP standard requirements for their ISMAP certification. AWS intends to provide customers and partners the flexibility to deploy and certify their solutions based on their business need.
If you have questions regarding ISMAP compliance, please contact your AWS Account Manager or submit the AWS Compliance Contact Us Form to be connected with your account team.