ISMAP Overview


Information system Security Management and Assessment Program

To Japanese Top page

We don't translate everything into English. Furthermore, this is for reference only, and the official version is only in Japanese.
Inquiries are only accepted in Japanese.



The Information system Security Management and Assessment Program (ISMAP) aims to secure the security level of the government's cloud service procurement by evaluating and registering cloud services that meet the security requirements of the government in advance, thereby contributing to the smooth introduction of cloud services.

This system is operated by the Cabinet Cyber Security Center, the Digital Agency, the Ministry of Internal Affairs and Communications, and the Ministry of Economy, Trade and Industry based on the "Basic Framework of the Security Assessment System for Cloud Services in Government Information Systems" (decided by the Cybersecurity Strategic Headquarters on January 30, 2020). The Independent Administrative Agency Information-technology Promotion Agency (IPA) provides technical support related to the implementation and evaluation of the system.

ISMAP Overview (PDF:415KB)


 Basic framework of the system

In this system, the ISMAP Steering Committee establishes rules including the following.

● Requirements for cloud service registration applicants
● Standards for information security management and operation
● Requirements for audit institution registration applicants

The ISMAP Steering Committee registers in the ISMAP Audit Institutions List those institutions that have been identified as meeting the requirements for audit institution registration applicants.

Cloud service providers request audits from audit institutions registered in the ISMAP audit institution list and receive audits based on audit standards, etc. regarding the status of implementation of information security measures based on management standards.

Upon receiving an application from an audited cloud service provider, the ISMAP Steering Committee examines the compliance of the cloud service registration applicant with the requirements, and then registers the cloud service that is deemed appropriate for registration in the ISMAP Cloud Service List.

In principle, procurement ministries and agencies will procure cloud services from those listed on the ISMAP Cloud Service List.


 System Rules, etc.

①▶Basic Regulations for Information system Security Management and Assessment Program (ISMAP)  (PDF:167KB)

②▶ISMAP Cloud Service Registration Rules  (PDF:156KB)

③▶ISMAP-LIU Cloud Service Registration Rules  (PDF:194KB)

  ▶Appendix 1 Criteria for Evaluating the Impact of Operations and Information Related to the Use of SaaS  (PDF:94KB)

  ▶Appendix 2 Internal Auditing Requirements  (PDF:161KB)

④▶Guidance for Evaluating the Impact of Operations and Information in ISMAP-LIU  (PDF:389KB)

⑤▶Control Criteria of ISMAP  (PDF:476KB)

  Control Criteria of ISMAP Attached Tables  (Excel:143KB)

⑥▶ISMAP Information Security Assessment Guidelines  (PDF:258KB)