Registration is required for businesses that provide cloud services to government agencies.
One of the technologies supporting DX is cloud services. The rapid expansion of cloud services has reached government agencies as well because of its quickly establishment. With the announcement of the "Cloud by Default Principle" in June 2018, the government officially declared that the cloud services are the first choice for government agencies in procuring information systems.
At the same time, the Security Assessment System for Government Information Systems (ISMAP) was established to assess the security of cloud services, and the system has been in operation since June 2020.
※ISMAP is a system in which cloud services provided by cloud service providers are evaluated by a third-party organization to determine whether they are being operated safely and registered in a "registry (ISMAP Cloud Service List). It is the policy of each government agency to procure services from those registered on the ISMAP Cloud Service List.
In October 2021, the Digital Agency released the procurement specifications for the "Provision of Cloud Services for Government Cloud Development in the Digital Agency - Advance Project by Local Governments in FY2021 and Digital Agency Website Construction Work". This procurement is for the Digital Agency to build an infrastructure using cloud services. The procurement specifications call for the Digital Agency to be an ISMAP-registered business, and AWS was selected as the result of the bid opening.
AWS, Azure, and GCP registered their services at the start of the ISMAP system (March 2021) in anticipation of this situation. ISMAP registration requires a written statement and at least 6 months of operational performance, so it takes nearly a year to work on acquisition. Even if you start working on it after the procurement is released, you will not be able to get it in time.
◆Mapping of about 1,300 control measures to internal rules and regulations Create a statement based on the ◆mapping results →Design Phase 2 and beyond along with a statement
- Presentation of solutions that need to be implemented and preparation of implementation schedule
- Presentation of rules and regulations that need to be changed, etc.
◆Use the statement prepared in Phase 1 as the overall blueprint, and analyze the differences from the current status.
→Assuming "Standard Audit Procedures," evaluate changes in controls and adequacy of trails, and propose improvement measures
◆The audit firm conducts a pre-audit investigation of the statement (checks the implementation status of controls measures and verifies evidence).
- The audit firm conducts a pre-audit review of the statements to ensure that they are ISMAP audit-worthy.
- We act as a liaison with the audit firm and provide full support for communication with the audit firm.
- We explain the appropriateness of the statement and the GAP with the current situation, and provide the points to be checked at the time of the audit.
→ The audit firm confirms the control status and operational status of more than 1,300 items in the pre-audit check.
→ We provide comprehensive support for clients unfamiliar with audit response, including handling hearings and organizing documents and trails.
◆Requirements Implementation Support
- Conduct management reviews and internal audits included in ISMAP requirements
◆ISMAP Audit (Audit by an Audit Firm)
- ISMAP audit is conducted by an audit firm based on standard audit procedures
→We support the client's response to the audit by acting as a front for the client.
- Preparation on Audit Implementation Report (by Audit Corporation)
→The audit firm prepares an audit report based on the audit results.
→Assist in providing guidance on targeted policies and collecting evidence in response to findings
◆Preparation of Application Documents and Application for IPA
- Based on the audit implementation report, we will apply for registration to the ISMAP Service List
→ After the application is submitted, the IPA will ask you many questions and request you to provide evidence.
→Delayed responses cause delays in service list registration, so we provide comprehensive assistance to ensure the fastest possible registration after the completion of the audit.
【As of May 2022, we have provided consulting services to several companies out of 35 ISMAP-registered cloud services.】
【Comprehensive consulting services by former employees of the four major audit firms】
【In-depth consulting that goes beyond advisory services. Proposing solutions to solve problems】
【We will act as a liaison between the audit firm and the client and provide support up to the registration on the service list. We also provide support for subsequent operational audits.】