Information System Security Management and Assessment Program (ISMAP)


Information System Security Management and Assessment Program (ISMAP) is a Japanese government program for assessing the security of public cloud services. The aim of ISMAP is to enable a common set of security standards for the Cloud Service Provider (CSP) to comply as baseline requirements for government procurement. ISMAP introduces security requirements for the cloud domains, practices, and procedures that cloud service providers must implement. Cloud service providers must engage with a ISMAP approved third party assessor to assess compliance with the ISMAP security requirements in order to apply as a ISMAP registered provider. The ISMAP program will evaluate the security of cloud service provider, and register those who satisfy the Japanese government’s security requirements. Upon successful ISMAP registration as a registered providers, government procurement departments can accelerate their engagement with the registered providers.

AWS enables service providers and customers on AWS to create ISMAP-compliant environment.


  • ISMAP stands for “Information System Security Management and Assessment Program”. ISMAP is a Japanese government security assessment system which aims to ensure an appropriate security level in government cloud service procurement by proactively evaluating and registering cloud services that meet government security requirements. This is expected to help contribute to the smooth introduction of cloud services in Japan’s public sector.

  • ISMAP provides a unified security requirement standard for assessing cloud service providers. When purchasing cloud services, it was previously necessary for central government agencies to individually perform due-diligence on the security measures implemented by the CSPs. With the introduction of the ISMAP program, central government agencies will be able to procure cloud services registered under this program, more quickly due to the elimination of the need to perform individual due-diligence.

  • Cloud service providers who provide their services to central government can be assessed and certified by ISMAP. However, it is expected that the scope of coverage will be expanded and the system will be used by the private sector in the future.

  • Yes, AWS is ISMAP certified. The details are available on Information-technology Promotion Agency ISMAP.

  • The details of in-scope regions and services can be found on Information-technology Promotion Agency ISMAP webpage. Additionally, a list of ISMAP services in-scope can be found on AWS Services in Scope by Compliance Program.

  • AWS will make available necessary information and procedures to support customers in implementing security for their functions to meet ISMAP standard requirements for their ISMAP certification. AWS intends to provide customers and partners the flexibility to deploy and certify their solutions based on their business need.

If you have questions regarding ISMAP compliance, please contact your AWS Account Manager or submit the AWS Compliance Contact Us Form to be connected with your account team.

Have Questions? Connect with an AWS Business Representative
Exploring compliance roles?
Apply today »
Want AWS Compliance updates?
Follow us on Twitter »