Skip to main content

This page has been translated using TexTra by NICT. Please note that the translation may not be completely accurate.If you find any mistranslations, we appreciate your feedback on the "Request form for improving the automatic translation ".

Efforts to Promote ISMAP-LIU Registration

Information on ISMAP-LIU and efforts to promote ISMAP-LIU in Digital Agency are introduced.

1. Overview

The Security Assessment System for Government Information Systems (hereinafter referred to as "ISMAP") is a system aimed at ensuring the security level of government cloud service procurement and contributing to the smooth introduction of cloud services by evaluating and registering cloud services that meet the security requirements of the government in advance.
In order to promote the expansion of cloud by default in administrative organizations, the government has established ISMAP-LIU (ISMAP (Information System Security Management and Assessment Program) for Low-Impact Use) as a mechanism for SaaS services used for processing operations and information with low security risks within ISMAP.
Digital Agency is working to promote the registration of SaaS services in ISMAP-LIU. For details, please refer to 4. Digital Agency Initiatives .

2. About ISMAP-LIU

Eligible SaaS Services

Among SaaS that handle Confidentiality class-2 information, those used for processing low-risk business and information are eligible. For details, please refer to the "ISMAP-LIU Business and Information Impact Assessment Guidance (ISMAP portal site )" posted on the [ISMAP-LIU] Various Procedures .

Benefits

Compared with ISMAP, ISMAP-LIU reduces the scope of external audits of control measures.

Reduction of the Scope of External Audits and Implementation of Internal Audits

When registering with ISMAP and ISMAP-LIU, conduct external audits and reviews of the controls in the governance, management and control measures criteria in the ISMAP management criteria.
In the case of ISMAP-LIU, all governance and management standards are subject to annual external audits, while some key governance and management standards (those that can have a direct impact on the service infrastructure and service structure) are subject to external audits, which are conducted on a standardized basis over several years.

A chart showing the differences in the scope of external audit coverage between ISMAP and ISMAP-LIU, based on the preceding explanatory note, can be compared with ISMAP-LIU's control standards, which cover some controls rather than all controls.

With respect to ISMAP-LIU, CSPs (SaaS providers) are required to report the implementation status of their own internal audits. With respect to internal audits, all control objectives of the Standards for Control Measures must be covered at least once in the last three years.

Image of a SaaS provider submitting an internal audit report to the ISMAP system. The SaaS provider reports implementation information in the internal audit report, and the ISMAP system checks the internal audit report.

3. How to register with ISMAP-LIU

ISMAP portal site System Regulations, etc.)" and "ISMAP-LIU Cloud Service Application Guide ( [ISMAP-LIU] Various Procedures )" posted on the ISMAP portal site .

4. Digital Agency Initiatives

Digital Agency has established the "Special Measures to Promote ISMAP-LIU Enrollment" (hereinafter referred to as the "Special Measures") to expand the use of secure SaaS services in government agencies, etc. Please refer to the following for details.

Special Measures (Application Closed)

Under the Special Measures, SaaS services that are scheduled to apply for registration in the ISMAP-LIU Cloud Service List and meet certain requirements will be registered in the Special Measures Service List (hereinafter referred to as the "Service List").
Benefits of being on the Service List include:

  • The list of services is shared with government agencies (not generally disclosed) and referenced when each agency procures SaaS services.
  • During the period of special measures, it will be possible to exempt a part of the submission related to registration in the ISMAP-LIU Cloud Service List
  • During the period of special measures, it will be possible to partially exempt the subject of external audit

For details of special measures such as the content of certain requirements required for registration in the Service List, please refer to , "Special Measures for Promoting Registration of ISMAP-LIU (PDF / 679 kb)" .
In addition, please also check the Points of Attention Regarding Points of Attention Regarding Special Measures to Promote ISMAP-LIU Registration.

Points of Attention Regarding Special Measures to Promote ISMAP-LIU Registration

The provision in "2. Framework of Special Measures (2) Application Requirements" that "an application for registration with ISMAP-LIU (including an advance application) is scheduled to be submitted during the period of operation of the special measures for SaaS services to which the special measures are to be applied" requires the submission of documents related to the advance application of ISMAP-LIU to the ISMAP Operation Support Organization through the ISMAP portal site by the end of March 2025 (2025) during the period of operation of the special measures.
*As a general rule, by the end of March 2025 (2025) during the operation period of this special measure, Chapter 8 (Application for Service Registration) of the ISMAP-LIU Cloud Service Registration Regulations will be required, but as an exception, the special measure can be applied even at the advance application stage.

5. Related Information

Related Links