Efforts to Promote ISMAP-LIU Registration
- Last Updated:
Information on ISMAP-LIU and efforts to promote ISMAP-LIU in Digital Agency are introduced.
1. Overview
The Security Assessment System for Government Information Systems (hereinafter referred to as "ISMAP") is a system aimed at ensuring the security level of government cloud service procurement and contributing to the smooth introduction of cloud services by evaluating and registering cloud services that meet the security requirements of the government in advance.
In order to promote the expansion of cloud by default in administrative organizations, the government has established ISMAP-LIU (ISMAP (Information System Security Management and Assessment Program) for Low-Impact Use) as a mechanism for SaaS services used for processing operations and information with low security risks within ISMAP.
Digital Agency is working to promote the registration of SaaS services in ISMAP-LIU. For details, please refer to 4. Digital Agency Initiatives .
2. About ISMAP-LIU
Eligible SaaS Services
Among SaaS that handle Confidentiality class-2 information, those used for processing low-risk business and information are eligible. For details, please refer to the "ISMAP-LIU Business and Information Impact Assessment Guidance (ISMAP portal site)" posted on the [ISMAP-LIU] Various Procedures .
Benefits
Compared with ISMAP, ISMAP-LIU reduces the scope of external audits of control measures.
Reduction of the Scope of External Audits and Implementation of Internal Audits
When registering with ISMAP and ISMAP-LIU, conduct external audits and reviews of the controls in the governance, management and control measures criteria in the ISMAP management criteria.
In the case of ISMAP-LIU, all governance and management standards are subject to annual external audits, while some key governance and management standards (those that can have a direct impact on the service infrastructure and service structure) are subject to external audits, which are conducted on a standardized basis over several years.
With respect to ISMAP-LIU, CSPs (SaaS providers) are required to report the implementation status of their own internal audits. With respect to internal audits, all control objectives of the Standards for Control Measures must be covered at least once in the last three years.
3. How to register with ISMAP-LIU
ISMAP portal site System Regulations, etc.)" and "ISMAP-LIU Cloud Service Application Guide ( [ISMAP-LIU] Various Procedures )" posted on the ISMAP portal site .
4. Digital Agency Initiatives
Digital Agency has established the "Special Measures to Promote ISMAP-LIU Enrollment" (hereinafter referred to as the "Special Measures") to expand the use of secure SaaS services in government agencies, etc. Please refer to the following for details.
Special Measures (Application Closed)
Under the Special Measures, SaaS services that are scheduled to apply for registration in the ISMAP-LIU Cloud Service List and meet certain requirements will be registered in the Special Measures Service List (hereinafter referred to as the "Service List").
Benefits of being on the Service List include:
- The list of services is shared with government agencies (not generally disclosed) and referenced when each agency procures SaaS services.
- During the period of special measures, it will be possible to exempt a part of the submission related to registration in the ISMAP-LIU Cloud Service List
- During the period of special measures, it will be possible to partially exempt the subject of external audit
For details of special measures such as the content of certain requirements required for registration in the Service List, please refer to , "Special Measures for Promoting Registration of ISMAP-LIU (PDF / 679 kb)" .
In addition, please also check the Points of Attention Regarding Points of Attention Regarding Special Measures to Promote ISMAP-LIU Registration.
Points of Attention Regarding Special Measures to Promote ISMAP-LIU Registration
The provision in "2. Framework of Special Measures (2) Application Requirements" that "an application for registration with ISMAP-LIU (including an advance application) is scheduled to be submitted during the period of operation of the special measures for SaaS services to which the special measures are to be applied" requires the submission of documents related to the advance application of ISMAP-LIU to the ISMAP Operation Support Organization through the ISMAP portal site by the end of March 2025 (2025) during the period of operation of the special measures.
*As a general rule, by the end of March 2025 (2025) during the operation period of this special measure, Chapter 8 (Application for Service Registration) of the ISMAP-LIU Cloud Service Registration Regulations will be required, but as an exception, the special measure can be applied even at the advance application stage.