“Information Security Service Standards, 3rd Edition” Publicized

1. Background

In February 2018, METI published the “Information Security Service Standards” and the “Examination and Registration Authority Standards for Information Security Services,” as an effort to provide a system in which users of information security services are able to refer to such standards when selecting a provider and use the services with peace of mind.

More than five years have passed since the first edition was published, and the second edition, which was published in January 2022, was found to have been referred to by a substantial number of companies. Against this backdrop, METI, in order to further disseminate the Information Security Service Examination-Registration System based on the standards, held a series of meetings of the Study Group on Promoting the Dissemination of Information Security Services, and the study group discussed the revision of the second edition of the standards.

In light of the information and opinions offered and discussed by the experts of the study group and public comments, METI revised the second edition of the standards to add a new service category, “Services for Verification of Equipment,” to the existing four “Information Security Services” categories (i.e., services for information security auditing, services for vulnerability assessment, services for digital forensics, and services for security monitoring and operation) and hereby publishes the third edition of the standards.

2. Outline of the revision of the Information Security Service Standards

In this revision, METI added to the “Information Security Services” category a new category, “Services for Verification of Equipment,” composed of services for verification of equipment, vulnerability assessment of web applications and vulnerability assessment of platforms, which all target a system (IoT system) consisting of devices with network communication functions, such as IoT devices, and applications that enable operation, management and data processing via a network to such devices. The call for registration of services under the Services for Verification of Equipment category is scheduled to start in the FY2023 third round of call around September 2023.

Moreover, in line with the addition of the Services for Verification of Equipment category, METI published the second edition of the “Examples of Measures that Contribute to Securing Technology and Quality in Information Security Services.”

Related Material

• Information Security Service Standards 3rd edition (in Japanese)(PDF:174KB)
• Examples of Measures that Contribute to Securing Technology and Quality in Information Security Services 2nd edition (in Japanese)(PDF:213KB)

Division in Charge

Cybersecurity Division, Commerce and Information Policy Bureau