What is ISMAP and how can your organization implement the framework?

What is ISMAP?

The Information system Security Management and Assessment Program (ISMAP) is a Japanese government framework used to assess the security level of cloud service providers that want to participate in public sector projects. Often referred to as the “Japanese FedRAMP,” the framework itself is based on ISO/IEC 27001:2013 (Information Security Management System), with some added requirements that are unique to ISMAP. The goal of ISMAP is to centralize the set of requirements; currently, multiple government entities may have different security requirements for an organization to meet as a supplier, but moving forward ISMAP is the single source of truth for security requirements, allowing an organization to conduct business with multiple government entities with an ISMAP registered status.

The basic structure of the framework consists of Chapters 5-18, which correlate to the Annex A domains of ISO/IEC 27001:2013, i.e., Chapter 14 in ISMAP is the system acquisition, development, and maintenance domain which matches A.14 in ISO/IEC 27001:2013. Clauses 4-10, or the governance requirements in ISO/IEC 27001:2013 all reside in Chapter 4. Additionally, there’s a separate chapter for cloud specific controls due to the framework’s assessment of cloud service providers. All in all, there’s nearly 1200 controls, making it one of the largest and most strenuous security compliance frameworks globally.

Each control is designated as a pattern type, lettering from “A” through “I.” This pattern type will determine the type of evidence for the control. For example, pattern type “A” relates to a policy or procedure document whereas pattern type “C” relates to a log of a control occurring. The full list of control criteria with mappings to NIST 800-53 can be found here.

Cloud service providers can request audits from the authorized list of ISMAP assessors and conduct an initial audit in a 4-part series:

1. Gap Analysis -Determine the state of the information security management system in relation to the ISMAP framework. 
2. Control Description Validation – The third-party auditor will verify that control descriptions that are unique to the cloud service provider meet the ISMAP requirements.
3. Design Phase – Auditors will verify through a sample of one evidence inspection that controls are designed appropriately.
4. Operation Phase – Auditors will verify through a population and sample selection that controls are operating effectively during the audit period.

The application submission to the ISMAP Steering Committee consists of the third-party attestation that the information security management system (ISMS) is meeting the requirements of the framework and the cloud service provider’s application documentation, outlining the scope, a management confirmation, and appendices that may be specific to the cloud service provider, such as disclosing any breaches or improvement plans for any findings.

For the deployment of cloud services or tools within the ISMS that are not ISMAP registered, additional information is required to be provided to the Information-technology Promotion Agency (IPA) during the application period. Information such as how and why the ISMS uses the technology or what data is consumed by the service or tool may be asked by the IPA. The IPA will also include this information into consideration when deciding on the ISMAP application. 

Lastly, due to the framework being specific to cloud services for Japanese public sector consumers, every application document, control descriptions, and answers to questions from the IPA must be translated into Japanese. It may be beneficial to retain translation services for the entire duration of implementation, audit and subsequent awarding of the certification.

ISMAP Implementation Guide

Due to the reliance on the ISO/IEC 27001:2013 standard as the foundation of ISMAP, many of the documentation requirements set forth in ISO/IEC 27001:2013 will apply to ISMAP, with the addition of specific context and content. From a governance and management system requirements perspective, a program manual that calls out all the processes set forth in the ISMS will be ideal in laying the groundwork for the program. Governance requirements from ISO/IEC 27001:2013 that will be applicable, including but not limited to evidence of a risk assessment methodology, internal audit program, management review process, and corrective action process, can all be spelled out in the program manual, with additional supporting documentation as evidence of implementation of such processes.

Much of the control policies that were developed for ISO/IEC 27001:2013 will still apply to ISMAP, however, additional context will be required for a large majority of them, identifying and documenting requirements from the ISMAP control language. For example, ISMAP has a requirement for a risk communication document which is not a requirement for ISO. 

The most effort will be required for implementation of controls, owing to the specificity and extensiveness of the control domains as defined in ISMAP. Control descriptions can be written to align with how the organization is operating and implementing existing controls. However, these descriptions must meet the ISMAP control requirements.

Currently, the IPA has not published ISMAP requirements to correlate to the updated version of the ISO standard, ISO/IEC 27001:2022.

Reducing the Effort

Due to the structure of ISMAP, more than half of the controls and requirements map back to ISO/IEC 27001:2013 and SOC 2 (Security, Availability, and Confidentiality). If the cloud service provider already certified its ISMS against ISO/IEC 27001:2013 or maintains a SOC 2 system, the effort can likely be reduced by creating a mapping of the existing and already implemented controls to the ISMAP control descriptions. Because this is an annual audit against 100% of the requirements, the audit period may be 12 months; however, it will take roughly six months to complete the Design Phase and Operational Phase of the audit, which can demand a large amount of time and effort from a dedicated Governance, Risk and Compliance (GRC) team.

An alternative, lower effort option is to certify against ISMAP-LIU, designed for low-risk operations and information processing, typically reserved for small start-up organizations. Risk level is determined from within six categories including:

• Inconvenience, distress, or damage to standing or reputation (of the organization)
• Financial loss (of the organization)
• Harm to agency programs
• Unauthorized release of sensitive information
• Personal safety
• Civil or criminal violations

Each of these categories must be evaluated and rated as a “Low” impact for the system to qualify for ISMAP-LIU, which is validated by the ISMAP Steering Committee during the application process. If the evaluation qualifies for ISMAP-LIU, then the governance and management requirements will still apply to the system, however, only 148 controls are assessed externally, totaling 230 requirements, comparing favorably against the nearly 1200 in the standard ISMAP framework. The remaining requirements are included in the internal audit process, a process that can test controls once per three-year audit cycle.

The ISMAP framework standardizes security compliance for cloud providers serving Japan’s public sector, akin to the United States FedRAMP framework. Built on ISO/IEC 27001:2013, it includes around 1200 controls for rigorous security evaluation. ISMAP-LIU offers a lighter version for low-risk providers, easing the compliance load. Coalfire supports organizations in achieving ISMAP certification, especially those with existing ISO or SOC 2 credentials.

How Coalfire Can Help

Coalfire’s team of Commercial GRC Advisors can help with your ISMAP aspirations. The Global Compliance frameworks that Coalfire Commercial GRC Advisory specializes in include ISO, SOC, and ISMAP, which can greatly alleviate the time and effort spent on compliance requirements.

If you have an existing ISO/IEC 27001:2013 certification or SOC 2 report, Coalfire can intake that information to expand the ISMS to include ISMAP. If there is no existing certification or report, Coalfire can start from scratch, building an integrated program that will align with all three frameworks, enabling your organization to mature your compliance posture.