Want to sell your SaaS to Japanese government agencies? You’ll need ISMAP certification. ISMAP (Information System Security Management and Assessment Program) is Japan’s official framework for evaluating cloud services for government use. Without it, your service won’t even be considered for public sector contracts.

Here’s what you need to know:

• ISMAP-LIU: A streamlined path for SaaS handling low-risk (Confidentiality class-2) data, with reduced audit requirements.
• Certification Process: Align with ISMAP’s governance, management, and control standards. Leverage existing certifications like ISO/IEC 27001 to simplify compliance.
• Key Steps:
  • Define your certification scope.
  • Map existing certifications to ISMAP requirements.
  • Implement technical controls (e.g., encryption, identity management).
  • Work with ISMAP-approved auditors.
• Timeline: Certification takes 6–12 months and requires ongoing audits to maintain compliance.
• Local Requirements: All documentation must be in Japanese, requiring comprehensive localization, and data encryption must follow Japan’s CRYPTREC standards.

Why it matters: ISMAP certification gets your SaaS listed on the government-approved Cloud Service List, opening doors to Japan’s public sector market. This is a critical component of a successful SaaS GTM strategy in Japan. The 2026 updates have simplified requirements, making it easier for SaaS providers to achieve compliance.

ISMAP is your gateway to the Japanese government market. Ready to start? Let’s dive in.

Laying the Groundwork for ISMAP Compliance

Defining Your Certification Scope

Getting your certification scope right is the first step toward ISMAP compliance. Start by identifying the appropriate ISMAP track. For most SaaS providers dealing with Confidentiality class-2 information, ISMAP-LIU is the best fit. Confirming this early can save both time and money.

Once you’ve settled on the track, outline your specific scope. Document which services, systems, and organizational units fall under ISMAP controls. If you already have a valid ISO/IEC 27001 (ISMS) certification, and it covers your cloud service and related teams, you’re eligible for a multi-year external audit cycle. Make sure your ISMS explicitly includes these areas to meet the requirements. Also, starting March 2024, your Statement of Conformity (言明書) must clearly indicate whether Generative AI features are part of the scope.

Mapping Existing Certifications to ISMAP

After defining your scope, the next step is to leverage any certifications you already hold. If you’re certified in ISO/IEC 27001 or SOC 2, you’re already ahead of the game. ISMAP aligns Chapters 5–18 with ISO Annex A and Chapter 4 with ISO Clauses 4–10.

"More than half of the controls and requirements map back to ISO/IEC 27001:2013 and SOC 2 (Security, Availability, and Confidentiality)." – Jason David, Senior Manager, Advisory Services, Coalfire

To streamline the process, create a crosswalk document that compares your existing controls with ISMAP’s nearly 1,200 controls. Update your control descriptions to align with ISMAP’s specific language requirements. Keep in mind that ISMAP currently references the 2013 version of ISO/IEC 27001, so plan accordingly. Additionally, since all application documents submitted to the IPA must be in Japanese, factor in Japanese localization and translation from the start.

Building a Security Governance Framework

With your certifications mapped, the next step is to establish a strong governance framework. ISMAP requires three types of evidence: documented policies, recorded procedures, and configuration settings. This framework will not only support your mapping process but also guide the technical controls you’ll need to implement.

Develop a central Program Manual to document your ISMS processes. This should include your risk assessment methods, internal audit schedules, and corrective action workflows. A well-prepared manual can address a significant portion of ISMAP’s governance requirements while providing auditors with a clear view of your security program. Under ISMAP-LIU, your internal audits must cover all control objectives within a three-year cycle. To avoid potential setbacks, coordinate early with your external auditor to clarify what qualifies as a "Main Audit Target", especially under the updated criteria effective August 2024. Misunderstandings in this area have often led to unnecessary rework.

sbb-itb-a752276

Implementing ISMAP Security and Technical Controls

After establishing governance and mapping, the next step in your ISMAP compliance journey involves implementing key technical controls. These controls focus on securing infrastructure, managing identities, and protecting data.

Securing Infrastructure and Networks

If your SaaS platform operates on cloud providers like AWS, Azure, or Google Cloud – already registered under ISMAP – your focus should shift to securing your application and data. These providers handle ISMAP compliance for their infrastructure layers, significantly reducing your compliance workload.

In late 2025, ISMAP streamlined its control framework, reducing control items from 1,081 to 253 and aligning with ISO/IEC 27002:2022. The updated framework organizes controls into four main categories, with an additional category specifically for cloud environments. Hamamoto Ryuta from TIMEWELL Inc. explains:

"The revision has two main points. First, to align with the ISO/IEC 27002:2022 update, the controls are reorganized into four categories, plus a fifth for cloud-specific controls. Second, the detailed control items are compressed from 1,081 to 253."

For network security, use attribute-based access controls, such as GitHub branch permissions, Kubernetes namespaces, or Snowflake roles, to restrict access based on user roles and residency. Strengthen identity management and logging systems to bolster access controls and monitor for incidents effectively.

Identity Management and Logging

ISMAP’s standards for identity and access management derive from ISO/IEC 27001, ISO/IEC 27017 (cloud security), and ISO/IEC 27018 (privacy in cloud computing) . To align with these requirements, implement a robust identity management framework.

When choosing a third-party identity provider, opt for ISMAP-registered vendors. For instance, IIJ ID Service earned ISMAP registration in January 2026, making it a practical choice for SaaS businesses aiming to ease their compliance efforts.

Automating logging is essential to meet Japan’s stringent breach notification rules under the Act on the Protection of Personal Information (APPI). If a qualifying breach occurs, you must submit an initial report to the Personal Information Protection Commission (PPC) within 3 to 5 business days and follow up with a detailed report within 60 days for incidents involving unauthorized access. Non-compliance can lead to penalties as high as ¥100 million (approximately $670,000 USD). From the outset, ensure automated log collection and alerting mechanisms are in place to meet these deadlines.

Once identity and logging systems are secure, the next focus is safeguarding data through encryption and key management.

Data Protection and Cryptography

ISMAP enforces strict encryption standards for government data. If your service uses non-domestic data centers, you must employ encryption algorithms from the CRYPTREC cipher list, Japan’s approved list of e-Government ciphers.

Proper key management is equally critical. Compliance requires encryption keys to be managed either by the user or through tamper-resistant devices. This approach also provides flexibility:

"If you do encryption and key management properly, AWS’s overseas regions can be on the table." – Hamamoto Ryuta, TIMEWELL Inc.

For SaaS products powered by AI, the compliance bar is set even higher. Providers offering AI models via API must implement KYC (Know Your Customer) checks during onboarding, IP-based geoblocking, and token usage limits. These measures are increasingly expected as part of ISMAP assessments, especially for AI-related services.

Navigating the ISMAP Certification Process

Once your technical controls are firmly in place, the next step is to dive into the formal certification process. This involves external audits, evidence reviews, and ultimately getting your service listed on the ISMAP Cloud Service List, managed by the Information-technology Promotion Agency (IPA). The entire process typically takes 6 to 12 months. With your internal controls aligned, the next move is to engage an ISMAP-approved assessor.

Working with ISMAP-Approved Assessors

ISMAP mandates an external audit conducted by a certified, ISMAP-registered audit firm – self-certification isn’t an option. It’s smart to bring in an approved assessor early, even before finalizing your documentation. This allows you to conduct a gap analysis against ISO/IEC 27001, 27017, and 27018, helping to identify and address compliance gaps before the formal audit begins.

Before reaching out to an assessor, determine which certification track applies to your service. For services handling Confidentiality class-2 data, the ISMAP-LIU path offers a streamlined process, reducing the scope of the external audit and lowering overall costs.

Preparing Evidence for the Assessment

The ISMAP Management Criteria Guidebook, available on the official ISMAP portal, is your go-to resource for this phase. It provides detailed explanations of how Japanese assessors interpret control requirements, which may differ from standard ISO audit expectations. Carefully study this guide before submitting any documentation.

Your evidence should cover key areas like governance, access controls, encryption, incident response, business continuity, and supply chain risk management. Pay special attention to incident response documentation, as assessors will check for workflows that align with Japan’s 3-to-5 business day breach notification requirement under APPI. Missing or unclear documentation in this area is a common reason for delays.

If you’re applying under ISMAP-LIU, you’ll also need to establish an internal audit schedule that covers all control objectives over three years. This schedule should be ready before the external audit starts, as assessors will review it as part of your governance evidence.

Addressing Findings and Completing Registration

Once your evidence is prepared and submitted, be prepared to address any audit findings quickly. Findings are common, but the key is to respond with prompt, documented remediation. This means not only fixing the issue but also providing a clear record of what was changed and why.

After the audit firm confirms compliance, submit your application through the ISMAP portal. You can also file an advance application with the ISMAP Operation Support Organization before the final submission. This step can help identify procedural issues early. Once your application is approved, your service will be listed on the ISMAP Cloud Service List. This listing is essential for selling to Japanese government agencies under the country’s Cloud-by-Default procurement policy. Since October 2022, Japanese authorities have been working to streamline this review process, with further updates planned as part of the 2025 System Review Initiatives.

Maintaining ISMAP Compliance After Certification

Securing a spot on the ISMAP Cloud Service List is a big achievement, but it doesn’t stop there. Staying compliant is an ongoing process that involves regular audits, effective change management, and keeping your documentation up to date.

Monitoring and Continuous Improvement

The 2026 ISMAP revision brought significant changes, reducing the control baseline by 75% – from 1,081 to 253 items – by removing redundancies and aligning with ISO/IEC 27002:2022. If your service has a valid ISO/IEC 27001 (ISMS) certification, you can benefit from the multi-year external audit cycle introduced in August 2024. With this model, the initial audit covers all controls, but renewal audits in following years focus only on areas where risks have changed or prior issues were noted. To streamline the process further, the Update Test mechanism allows evidence collection to be shortened to three months for controls with no changes or deficiencies.

Keeping your Statement of Applicability (言明書) updated is crucial, especially if your service expands or undergoes significant changes. Always use the latest templates from the ISMAP portal – such as Form 3 and Annex 7 – to avoid unnecessary delays. Additionally, addressing changes and incidents promptly ensures that your compliance remains intact.

Managing Changes and Incident Response

Continuous monitoring is essential, but what happens when changes occur? Any architectural updates or control modifications during an audit period trigger a "control change" (統制変更). These changes must be identified and formally communicated to your audit firm before the audit begins.

For SaaS providers using major cloud platforms like AWS, Azure, or Google Cloud, you can leverage your cloud provider’s ISMAP registration to cover infrastructure-layer controls. This allows you to concentrate your internal monitoring efforts on the application and data layers – where your configurations and customer data reside.

When hiring overseas engineers or remote staff, be mindful of Japan’s Foreign Exchange and Foreign Trade Act, which enforces deemed export controls. Hamamoto Ryuta, CEO of TIMEWELL Inc., warns:

"The scariest deemed export pattern is the one you notice after the hire. By the time you realize, the person has already touched the source repository, the audit trail is there, and you cannot walk it back."

To mitigate this risk, implement attribute-based access controls to restrict sensitive technology access based on an engineer’s residency and funding status.

Localizing for the Japanese Market

Compliance isn’t just about technical controls – it also means aligning your processes with local standards. This includes maintaining all ISMAP documentation and control descriptions in Japanese. Your privacy policy should also be translated into Japanese and clearly outline data storage parameters. If you offer Japan-region data hosting – such as AWS Tokyo (ap-northeast-1) or Azure Japan East – make sure this information is easy to find. Not only does this simplify cross-border compliance, but it also strengthens your position when selling to government clients.

"Reputational damage from publicized enforcement actions can be particularly severe in Japan, where business reputation and trust are paramount considerations in purchasing decisions." – Yuga Koda, Co-Founder, Nihonium

An active ISMAP listing is now a must-have, as local agencies require it for procurement bids. By localizing your documentation, you enhance both compliance and credibility in the market. For SaaS companies looking to expand in Japan’s public sector, maintaining your ISMAP registration is directly tied to your ability to grow.

For support navigating these localization requirements, Nihonium provides tailored services for the Japanese market, including product localization, Japanese-language documentation, and strategies designed for the public sector landscape.

Conclusion

Achieving ISMAP certification is no small feat, but it opens important doors for SaaS providers. Once certified, your service is added to a government-approved registry, eliminating the need for individual agency audits. As Jason David, Senior Manager at Coalfire, puts it:

"ISMAP is the single source of truth for security requirements, allowing an organization to conduct business with multiple government entities with an ISMAP registered status."

The process involves several critical steps: defining your scope, aligning with existing certifications, implementing necessary security measures, working with an ISMAP-approved assessor, and staying compliant through annual audits. Having certifications like ISO/IEC 27001 or SOC 2 can ease this process, as over half of ISMAP’s controls align with these frameworks. This overlap simplifies compliance efforts significantly.

Localization is another key aspect. Since all documentation must be in Japanese, reliable translation support becomes a necessity.

From initial planning to collaborating with assessors and managing annual audits, each step strengthens your position in Japan’s public sector market. The Japanese government procurement system represents a stable and lucrative opportunity, with ISMAP certification acting as the gateway. As Michael Kang, Cloud Security Manager at 38North Security, highlights:

"For CSPs seeking to support the Japanese government, ISMAP is both a gateway and a long-term security commitment."

With the program expanding into critical infrastructure and economic security sectors, early compliance with ISMAP can give your company a competitive edge. To fast-track your entry into Japan’s market, Nihonium offers tailored solutions, including localized documentation and strategic guidance.

FAQs

Do I need ISMAP or ISMAP-LIU for my SaaS?

The choice between ISMAP and ISMAP-LIU depends on the risk level associated with your SaaS operations and the type of data you handle.

• ISMAP is mandatory for cloud services utilized by Japanese government agencies.
• ISMAP-LIU, on the other hand, is designed for services with lower risk levels.

If your service is classified as low impact across six specific risk categories, ISMAP-LIU provides a more streamlined approach. This includes fewer external audits and an internal audit cycle that occurs every three years.

What evidence do auditors expect for ISMAP?

Auditors need to see evidence that your Information Security Management System (ISMS) is both well-designed and functioning as intended to meet ISMAP control criteria. This involves providing:

• A third-party attestation along with a management confirmation statement.
• Comprehensive application documentation that clearly defines the scope of your service.
• Internal audit reports, and if there are any issues identified, corresponding improvement plans.

In addition, auditors examine design samples to ensure compliance and evaluate operational controls to verify they work effectively in practice.

Can I use non-Japan cloud regions if I meet CRYPTREC encryption?

When using cloud regions outside of Japan, compliance hinges on the ISMAP application and risk assessment process. ISMAP mandates that you disclose whether non-Japanese laws affect your service. This disclosure is critical for assessing risks, such as potential unauthorized access. To meet government security standards, you’ll need to provide clear details about data residency, applicable legal jurisdictions, and any associated risks.

Related Blog Posts

• Regulatory Compliance for SaaS in Japan: Key Rules
• Ultimate Guide to Japan SaaS Data Compliance
• Japan SaaS Market: Data Privacy as a Selling Point
• ISMAP Overview: Japan’s Cloud Security Standards