Influence of Information

security in Economic growth

using ISMS standard as a tool
Koji Nakao
KDDI, Information Security Fellow
(supported by Prof. Yamassaki & JIPDEC)
Agenda

1) Current status of ISMS in Japan

including statistical data
2) Examples of implementation of ISMS
for successful case studies
3) Important aspects of Information
Security in Japan
4) Influence of Information security by
using ISMS standard as a tool
Agenda

1) Current status of ISMS in Japan

including statistical data
2) Examples of implementation of ISMS
for successful case studies
3) Important aspects of Information
Security in Japan
4) Influence of Information security by
using ISMS standard as a tool
 Purpose of the ISMS Conformity
Assessment Scheme

• The Conformity Assessment Scheme for

Information Security Management Systems
(ISMS) is a third party conformity assessment/
certification scheme for information security
management with international harmonization.

• This scheme is intended to contribute to

raising the overall level of information security
in Japan and to provide confidence in the level
of information security to other organizations
in Japan and in other countries.
Operation of the ISMS Conformity
Assessment Scheme (as of Oct. 2010)
Copyright JIPDEC ISMS, 2010

Accreditation body
Information Management Systems Promotion Center, JIPDEC

Assess Assess
Apply Apply
(accredit) (accredit)

Certification bodies Personnel Certification bodies

Apply Approve

Apply
Assess Auditor training
(certify) Apply Evaluate
bodies
Issue
Attend a certificates of
training course successful
completion

Applicant organizations Applicants for auditors

Certification scheme Personnel Certification scheme

5
ISMS Certification Bodies in Japan

25 accredited ISMS certification bodies (13th October, 2010)

Number Name Number Name
Management System Assessment Center Co.,
ISR001 Japan Quality Assurance Organization (JQA) ISR016
Ltd. (MSA)
ISR002 JIC Quality Assurance Ltd. (JICQA) ISR017 Japan Value-Added Certification Co.,Ltd (J-VAC)
ISR004 BSI Group Japan K.K. (BSI-J) ISR018 Bureau Veritas Japan Co.,Ltd. (BV Certification)
Defense Procurement Structure Improvement
Union of Japanese Scientists and Engineers ISO
ISR005 ISR019 Foundation System Assessment Center (BSK System
Center (JUSE-ISO Center)
Assessment Center)
Japanese Standards Association Management Lloyd's Register Quality Assurance Limited (LRQA
ISR006 ISR020
Systems Enhancement Department (JSA) Japan)
Japan Audit and Certification Organization for
ISR007 ISR021 SGS Japan Inc. (SGS)
Environment and Quality (JACO)
ISR008 DNV Business Assurance Japan KK (DNV) ISR022 SGS Japan Inc. (SGS)
International Certificate Authority of Management NIPPON KAIJI KENTEI QUALITY ASSURANCE
ISR010 ISR023
System (ICMS) Ltd. (NKKKQA)
ISR011 JMA QA Registration Center (JMAQA) ISR024 ISA Co., Ltd (ISA)
ISR012 Perry Johnson Registrars, Inc. of JAPAN (PJRJ) ISR025 ASR Co.,Ltd (ASR)
Japan Approvals Institute for Telecommunications
ISR013 ISR026 JAPAN CHEMICAL QUALITY ASSURANCE LTD. (JCQA)
Equipment (JATE)
Deloitte-Tohmatsu Evaluation and Certification UL DQS Japan Inc. Management Systems
ISR014 ISR027
Organization Co.,Ltd (Deloitte-TECO) Solutions (UL DQS)
ISR015 TUV Rheinland Japan Ltd. (TUV RJ)
Transition of the Number of
ISMS Certificates in Japan

4000 3,636(15
3,636(15Oct,
Oct,2010)
2010)

3635

3636
3567
3800

3518
3458
3350
3600

3274
3197
3400

3065
3200

2892
2775
3000

2662
2535
2800

2404
2600

2300
2180
2400

2008
2200

1837
1727
2000

1592
1800
1341

1600
Sum Total
1151

1400
999

1200
Quarterly Total
858

1000
658

800
557
491
423

600
321
242

200 141 152 190 251

190

400
144

79 102 68 66 101 135 110 171 172 120 104 131 127 113 117 173 132
77 76 108 60 49 68
82

24 28 30 62 46 52
52

200
24

1
0
4-6

7-9
10-12

1-3

4-6
7-9

10-12

1-3

4-6
7-9

10-12

1-3
4-6

7-9

10-12

1-3
4-6

7-9

10-12
1-3

4-6

7-9

10-12
1-3

4-6

7-9
10-12

1-3

4-6

7-9
10-12

1-3

4-6
7-9

10-12
Month

2002 2003 2004 2005 2006 2007 2008 　 2009 2010

 Number of Certificates per Country
(http://www.iso27001certificates.com/)
As of 2010

Japan 3632 Hong Kong 32 Singapore 12 Peru 4 Belarus 1

India 492 Greece 30 Indonesia 11 Qatar 4 Denmark 1

China 483 Romania 30 Bulgaria 10 Chile 3 Dominican 1
Republic
UK 453 Australia 29 Kuwait 10 Egypt 3 Jersey 1
Taiwan 371 Mexico 24 Norway 10 Gibraltar 3 Kyrgyzstan 1
Germany 139 Brazil 23 Russian 10 Macau 3 Lebanon 1
Federation
Korea 106 Slovakia 21 Sweden 9 Portugal 3 Luxembourg 1
USA 96 Turkey 21 Colombia 8 Argentina 2 Macedonia 1
Czech Republic 86 UAE 20 Bahrain 7 Belgium 2 Mauritius 1
Hungary 71 France 19 Iran 7 Bosnia 2 Moldova 1
Herzegovina
Italy 60 Slovenia 17 Switzerland 7 Cyprus 2 New Zealand 1
Poland 56 Philippines 15 Canada 6 Isle of Man 2 Sudan 1
Spain 54 Pakistan 14 Croatia 6 Kazakhstan 2 Uruguay 1

Malaysia 40 Vietnam 14 South Africa 5 Morocco 2 Yemen 1

Ireland 37 Iceland 13 Sri Lanka 5 Ukraine 2

Thailand 36 Saudi Arabia 13 Lithuania 4 Armenia 1
Austria 35 Netherlands 12 Oman 4 Bangladesh 1 Total 6826

The total number of ISO/IEC 27001 certificates is now 6826.

Please note that not all certificates could be displayed in register.
Agenda

1) Current status of ISMS in Japan

including statistical data
2) Examples of implementation of ISMS
for successful case studies
3) Important aspects of Information
Security in Japan
4) Influence of Information security by
using ISMS standard as a tool
(1) A-Securities firm
z ISMS scope
IS (Information Systems) department
z Organizational size
10 departments, 200 employees
z Period
8 months
z Implementation steps (main)
Project formation establishment, ISMS policy,
risk assessment, controls selection and
implementation, internal audit,
management review
Establish ISMS Certification Project

CISO
• Set the ISMS objectives of
security management in the
1’st audit
organization
External support Internal Audit team • Set the ISMS commitment and
Certification Body

lead in the organization

Support • Review the ISMS results
• Review information security
incidents, and manage them
ISMS Core Team
• Lead ISMS operations in each
Maintain
organization
(Yearly) the organization line management • Cooperate ISMS
implementation with Core team

Updated Employee and Contractors

（3 years）
：ISMS implementation
team
(2) B-bank
z ISMS scope
Headquarter divisions of Bank
z Organizational size
30 departments, 1,000 employees
z Period
11 months
z Implementation steps(main)
Total project planning, ISMS policy, risk
assessment, controls selection and
implementation, internal audit,
management review, measurements,
training and awareness
 Project Master schedule

Master schedule (by implementation task)

Plan Do Check Act

９００:Mgmt implement.
Mgmt Treatment
Scope & Risk assess Implement Operate Monitor/Aud Improve
imple
Phase 2 policy Select controls plan controls it/ Reviews
Establishment for information security

Gap ４００：education
fulfillment
analysis Phase 3
１００：Organization
establishment

Preparation
５００：Physical
for risk
environment
analysis
２００： fulfillment ８００：Audit & self
Policy, standards, assessment
Security policy establishment
arrangements procedures fulfillment

６００：Information System
development
３００： Asset
Implementation management
plans
７００：Business continuity
management
Phase 1
x/200x x/200x x/200x

13
(3) C-Telecommunication
z ISMS scope
Business unit of products and services
development
z Organizational size
5 departments, 200 employees
z Period
9 months
z Implementation steps (main)
ISMS policy, risk assessment including gap
analysis based on 27002 controls, controls
selection and implementation, internal audit,
management review, measurements
 Security Gap analysis by 27002
control
Information Security Tub
9
Security reviews
10 Information 8 Scaled score
Security Systems Interviews
11 Business 7
Incident development A．(100) Interviewee
Continuity management Access
& maintenance
Compliancemanagement control z Security organization
z Owner/user/provider
B. (75) z Outsource
Security level to be conformed
6 z Vendor etc.
1
5 Document reviews Site reviews
2 Communications
Security
3 4 C. (50) O Security policy O Computer center
and O Current guidelines O office
policy operations O Network configuration O Network
Organizational management O Operation procedures O System
Personnel
Security Security Physical D. (25) O User guides etc. O Etc.
Asset
and
classification
environmental
and control
Security E. (0) Gap analysis is performed using evaluation criteria
( A – E ).

Evaluation Criteria 11
10 9
7
8
A – Excellent: Management cycle and improvement activities are performing for controls to be effective.
1
B - Above average: There exists standardized documentations/procedures, which are in operations. 6

C - About average done: There exists standardized documentations/procedures which are not in 2 3 4
5

operations.
D - little done: There does not exist standardized documentations/procedures, and operations are by
oral basis or by each person.
E - Nothing done
(4) D-Consulting company
z ISMS scope
Whole company
z Organizational size
30 departments, 2,000 employees
z Period
9 months
z Implementation steps (main)
ISMS policy, risk assessment, controls
selection and implementation, internal
audit, management review,
measurements scheme
ISMS measurements scheme
establishment
„ PC Security ( one of Objectives )
z Objectives : All of PC of the Organization shall
be secured based on the organization’s
regulated setting and maintenance.
z Measure
Conformed PCs / total PCs
z Targets : 100%
z Indicators
Green zone : 100% - 99%
Yellow zone : 99% - 95%
Red zone : 95% - 0%
z Controls to be implemented
z A9.2/A.9.2.5, A.9.2.7
z A10.4/A.10.4.1, A10.4.2
z A11.3/A.11.3.1, A.11.3.2, A.11.3.3
z A11.7A.11.7.1, A.11.7.2
（Actions by Indicators）
①In case of Yellow zone, some
individuals do not conform.
→Reassess inconformity items and
identify the causes.
→Identify the controls relating the
causes ( For example Screen
saver） and re-define the
safeguards.
②In case of Red zone, it is totally risky
situation for the organization.
→Identify the weak department and
request improvement actions
from CISO.

z A15.1/A.15.1.5

z A15.2/A.15.2.1
(5) E-Manufacturing (group)

z ISMS scope
Unified ISMS certifications by total group companies
z Organizational size
20 group companies + 100 departments,
30,000 employees
z Period
10 months
z Implementation steps(main)
ISMS objectives setting, ISMS policy, risk
assessment, controls selection and
implementation, internal audit, management
review, measurements, integrating privacy
ISMS Objectives Establishment
What objectives are developed from Business/Security directions?
What targets are set to evaluate to achieve objectives?
Management’s （CEO’s Business
Directions on Business Directions ）

（CISO’s Security
Management’s Directions,
Directions on Security ISMS Policy）

NDA with PIP with Protected

Customer Customer Information
（Security
Physical PC Education, Asset Project
Requireme Mechanism Objectives/
Security Security Ａｗａｒｅｎｅｓｓ Mgmt at
Retirement nts Targets)
Incident Security results of
Management Operations
（Example PC lost）
ISMS improvement process

CEO
Management Report z Measure
Committee Recommend z Collect
improvement
Report actions
Security z Calculate
CISO Staff z Analyze
Report
Indicate actions Organization z Evaluate
Security z Report
Committee Web
Indicate
publish z Indicate
actions
Dept Dept group
actions
Committee Committee Committee
Member Member Member
Agenda

1) Current status of ISMS in Japan

including statistical data
2) Examples of implementation of ISMS
for successful case studies
3) Important aspects of Information
Security in Japan
4) Influence of Information security by
using ISMS standard as a tool
Motivation

Many governmental and public

businesses consider and select
companies which have already
obtained ISMS certification and such
condition is clearly stated in their
bidding conditions.
This is a good motivation to start
development of ISMS for organizations.
 Examples (1)
☆人事院事務総局
http://www.jinji.go.jp/tyoutatu/061030_1.nyusatsu.txt
☆厚生労働省労働局
http://www.mhlw.go.jp/sinsei/chotatu/chotatu/pdf/roudou_sys-1a.pdf
☆独立行政法人国際観光振興機構
http://www.jnto.go.jp/jpn/downloads/bid_080218_shinsei.pdf
☆独立行政法人日本芸術文化振興会
http://www.ntj.jac.go.jp/updata/20080414ntj1.pdf
☆独立行政法人 新エネルギー・産業技術総合開発機構
http://www.nedo.go.jp/informations/koubo/191207_11/191207_11.ht
ml
☆三重県会計支援室
http://www.pref.mie.jp/NYUSATSU/2008040033.htm
☆滋賀県県民文化生活部情報政策課IT企画室
http://www.pref.shiga.jp/nyusatsu/koukoku/ce00/20071122.html
☆宮城県環境生活部環境政策課
http://www.pref.miyagi.jp/kankyo-
s/report/H19_report/koukoku.ecoinfo.pdf
☆大分県総務部総務事務センター
http://www.pref.oita.jp/11850/nyusatsu/2080402.html
etc.
Example (2)
Open Bidding System
３ 競争に参加できる者 (Organizations who can join the open bid)
(1) 予算決算及び会計令第７０条の規定に該当しない者であること。なお、
未成年者、被保佐 人又は被補助人であって、契約締結のために必要
な同意を得ている者については、同条中、 特別な理由がある場合に該
当する。
(2) 予算決算及び会計令第７１条の規定に該当しない者であること。
(3) 平成１６・１７・１８年度内閣府競争参加資格(全省庁統一資格)において
、関東甲信越地 域「役務の提供等」の「Ｂ」、「Ｃ」又は「Ｄ」の等級に格付
けされている者であること。
(4) 契約担当官等から取引停止の措置を受けている期間中の者ではないこ
と。
(5) 情報セキュリティマネジメントシステム(ＩＳＭＳ)認証を取得している者又
はＪＩＳＱ１５００１ に準拠したプライバシーマーク使用許諾を有する者で
あること。
(You must be an organization who has already obtained ISMS
certification, or Privacy Mark based on JIS Q.15001.)
 Comparison between ISMS and
P-mark (privacy-mark)
Application and scope

財務部 営業部 戦略部

経理部 保全部 企画部
総務部 Operation 技術部
Department

Type of Assets
P mark
Privacy data Privacy data Privacy data

ISMS
Application of ISMS (or ISM)

• Applied to Standards for Information

Security Measures for the Central
Government Computer Systems;
• Applied to Telecommunication based on
ISO/IEC 27002:2005.
(ITU-T X.1051, ISO/IEC 27011)
• Applied to Information Security Audit.
(JASA has been actively working in this
area)…
• etc.
 Outline of “Standards for Information Security Measures for
the Central Government Computer Systems”
- To achieve sectoral plan for raising the information security level of the whole government, the government
formulates the “Standards for Information Security Measures for the Central Government Computer Systems”
(‘Standards for Measures’).
- Each government agencies implements measures according to the Standards for Measures, and the NISC inspects and
evaluates the implementation status at the central governments. The ISPC makes recommendations for
improvement based on the inspection/evaluation results.
(1) Supplement standards of government agencies
Standards for Measures with the Standards for Measures
Providing for the minimum Defects in information security measures
(absence or insufficiency)
required standards for the (Present)
measures to be taken by the
central government agencies. Agency A
Standards of
Standards of government
government agency
agency

Information Security Recommendations for Review of standards of

government agency in
Policy Council (ISPC) improvement (Future) compliance with the
Governmental Standards for Measures
• Formulate the Standards for Measures
• Make recommendations for improvement Plan Agencies Agency A
based on the results of evaluation on the Standards of
Standards of government
government agency
agency
measures taken by the central government
agencies. • Review standards of (2) Raise each agency’s information security level
Act Do government agencies
according to the (Present)
Standards for Measures Minimum

security level
required level

Information
Plan
Check Current
lowest level
Inspect and evaluate the Act Do
Review of standards of
implementation status Agency A Agency B Agency CAgency D Agency E Agency F government agency in
The NISC inspects and evaluates Check compliance with the
(Future) Standards for Measures
the implementation status at the
central government agencies, and Achievement

security level
National Information
Information
the ISPC makes recommendations of higher level
Security Center (NISC) for improvement based on the
inspection/evaluation results. Raise the
lowest level

Agency A Agency B Agency CAgency D Agency E Agency F

ITU-T X.1051=ISO/IEC 27011
Agenda

1) Current status of ISMS in Japan

including statistical data
2) Examples of implementation of ISMS
for successful case studies
3) Important aspects of Information
Security in Japan
4) Influence of Information security by
using ISMS standard as a tool
Information Security Controls in
ISO/IEC 27002 can be a key component
ISO/IEC 27002:2005
Security policy Security strategy

Organising information security Security Governance

Asset management Asset Classification, etc.

Human resources security Education and Training

Physical & environmental Entrance Control, etc.

security

Communications & operations Network Security,

management Security Operation, etc.

Access control Authentication, IdM, etc.

Information systems acquisition,

Application & System Security, etc.
development and maintenance
Information security incident Incident Handling, etc.
management

Business continuity management Disaster Recovery and BCM, etc

Compliance Compliance to Regulation, etc

Application to a work on Cloud
discussed in Japan
Information security management guidelines
for the use of cloud computing services based on ISO/IEC27002
WG1:security management based
on the whole controls of 27002 WG4: specialized in
the specific controls
Clause 5 CloudGuide
ISO/IEC 27036
I Clause 6 CloudGuide Outsourcing
S
O
Clause 7 CloudGuide

/ Clause 8 CloudGuide ISO/IEC 27033

I Network security
E
Clause 9 CloudGuide

C Clause 10 CloudGuide
ISO/IEC 27034
2
Clause 11 CloudGuide Application security
7
0 Clause 12 CloudGuide

0
ISO/IEC 27035
Clause 13 CloudGuide Incident management
2
Clause 14 CloudGuide

Clause 15 CloudGuide ISO/IEC 27031

ICT readiness for BC
Other examples: 27011,27015 etc. 31
Current & Future Perspective

• ISMS certification will lead to gaining client

confidence and enhancing business
competitiveness, as well as it will meet the
requirements for trade such as bidding conditions
for governmental and public businesses.
• Regarding internal control, the management
process of ISMS can be effectively utilized with
respect to the business risk control.
(according to the statistical data in Japan)
• Although there are many security technologies
existed nowadays, ISMS has been successfully
binding many technologies in a consistent way. It is
true in Japan that Information security is much
influenced by the concept of ISMS and ISM
throughout many sectors. (maybe connecting to the
economic growth.)
 Guides on ISMS published by
JIPDEC in Japan

• ISMS User’s Guide - JIS Q 27001:2006 (ISO/ IEC

27001:2005) compliant-
• ISMS User’s Guide - Risk Management
• ISMS User’s Guide for Medical Organizations
• ISMS User’s Guide for Payment Card Industry
• ISMS User’s Guide on Legal Compliance
• How to utilize the ISMS Conformity Assessment
Scheme in Outsourcing
• Guide on Compliance with PCI DSS/ISMS
• Others
 Implement & use
Security＊ Design
Security＊

Maintain &
improve
Security＊
Monitor &
review
Security＊