Font Size Change
Easy Web Browsing tool

Cybersecurity Management Guidelines Revised

The Ministry of Economy, Trade and Industry (METI) and the Information-technology Promotion Agency, Japan (IPA) cooperatively revised the Cybersecurity Management Guidelines, aiming to further disseminate the guidelines.

1. Background

METI and the IPA cooperatively formulated the guidelines in December 2015 as a guide to encourage corporate managers to take leadership in promoting cybersecurity measures in their companies, and since then, they have been engaging in efforts for disseminating the guidelines.

As cyberattacks have become growingly sophisticated year after year, an increasing number of companies are facing difficulties in preventing cyberattacks or even in finding the fact that they have been subjected to such attacks. As seen in this situation, proactive measures cannot sufficiently serve for tackling such attacks anymore. In particular, Asian countries, including Japan, are likely to take a longer time before finding cyberattack damages than the global average time. In contrast, Western countries have been advancing efforts for revising guidelines for cybersecurity to address the current situation in cyberattacks. They also prioritize efforts for post-accident measures, such as detection, response and recovery, and require domestic companies to take such measures.

Against this backdrop, METI and the IPA cooperatively held meetings of a Study Group for Revision of the Cybersecurity Management Guidelines. Based on examination of the discussion results of the study group, they revised the guidelines to add post-accident measures and other rules.

2. Key points of the revised guidelines

Based on the opinions of experts and public comments, METI and the IPA revised the guidelines mainly concerning the following points.

  • METI and the IPA revised ten important items on which corporate managers should execute directions to CISOs and other personnel in responsible positions, while maintaining the existing three principles that corporate managers need to recognize.
  • The existing “Item 5: Establish a framework for addressing cybersecurity risks” was revised to newly include a direction concerning a framework for risk management, including detection of cyberattacks.
  • The existing “Item 8: Develop a preparatory framework for recovery from damages caused by any incident” was revised to newly include a direction for preparation for recovering from damages caused by cyberattacks.
  • The existing “Item 9: Take measures for business partners, outsourcing companies, and other entities involved in overall supply chains and ascertain the current situation thereof” was revised to add a direction for enhancing measures for supply chains and to streamline similar directions.
  • The existing Annex A was revised to provide a correspondence relationship between the guidelines and the cybersecurity framework issued by the National Institute of Standards and Technology (NIST), the United States, and to include new sections to amend and check items.
  • The existing Annex B was revised to provide a collection of a variety of references for companies in developing cybersecurity measures according to the ten important items.
  • The existing Annex C was revised to newly provide instructions as reference information that companies should streamline to address occurrence of incidents.


Release date

November 16, 2017

Division in Charge

Cybersecurity Division, Commerce and Information Policy Bureau

Related website

Ministry of Economy, Trade and Industry1-3-1 Kasumigaseki, Chiyoda-ku, Tokyo 100-8901, Japan Tel: +81-(0)3-3501-1511
Copyright Ministry of Economy, Trade and Industry. All Rights Reserved.