Every so often I get a question like this from Japan execs: "We already have ISO 27001, are there any Japan-specific frameworks we should consider?"
For SME decision-makers and IT managers in Japan: incorporating Japan frameworks into your security posture is a procurement trust signal, and the compliance picture for SMEs in 2026 is layered and changing. Three schemes — SECURITY ACTION (IPA), ISO/IEC 27001 (international, but known as JIS Q 27001 in Japan), and the new SCS Evaluation Framework (METI) — each does something the others don't, and the order in which an SME should tackle them is not the order they rank by prestige.
What SECURITY ACTION is (and isn't)
SECURITY ACTION (セキュリティアクション) is a self-declaration scheme run by the Information-technology Promotion Agency (IPA). It has two tiers: ★1 is a public commitment to work through the IPA's SME information security guideline, and ★2 adds a published security policy plus completion of IPA's 25-item self-check (gofun de dekiru jisha shindan, 5分でできる自社診断). Both tiers are free, self-declared, and annually renewable.
What SECURITY ACTION is not, is an audited certification. Nobody verifies your claims. If you declare ★★, nobody inspects whether you wrote a policy or filled out the self-check honestly, but this is by design. Privacy Mark (P-mark, Pマーク) and ISO 27001 occupy the "verified" slot in the Japanese market; SECURITY ACTION deliberately sits below them, with a cost and friction profile aimed at bringing the maximum number of SMEs onto the first rung of formal security posture.
The substance behind ★1 and ★2 is the IPA SME Information Security Guideline, which maps cleanly to ISO/IEC 27001 and NIST CSF 2.0. The outer wrapper is Japan-originated, but what it points at is the same control set Japanese enterprises already use. For operators looking for an international analog, the closest parallel is the UK's Cyber Essentials — the same low-friction, government-backed, SME-focused role, though Cyber Essentials layers a small external assessment onto its baseline that SECURITY ACTION does not.
The April 2026 change to gBizID Prime
Until March 2026, SECURITY ACTION declarations were filed through a lightweight web form. On April 1, 2026, IPA migrated the entire signup into a new IPA management system (kanri shisutemu 管理システム) that requires gBizID Prime — the Japanese government's unified business identity system, essentially a legal-entity single sign-on.
gBizID Prime is becoming the shared identity layer for business-to-government interactions in Japan. SECURITY ACTION is one use case, along with subsidy applications, license renewals, and a lengthening list of other government-facing services. If your company operates in Japan and the representative director (daihyō 代表者) doesn't yet have gBizID Prime, you should get it as a matter of general readiness.
The practical friction for a foreign-led SME is a step upstream of SECURITY ACTION itself: gBizID Prime's online path requires the representative director to hold a valid My Number card, and the postal path needs a registered personal seal (inkan 印鑑) plus a seal certificate (inkan shōmeisho 印鑑証明書). Both require Japanese resident registration (jūminhyō 住民票). A representative director who has neither of those hits the wall before SECURITY ACTION is even in view.
The bigger picture — SCS is the ladder that SECURITY ACTION is the first rung of
Tō-ji's five-story pagoda (Kyoto) — five tiers, each supporting the next. A fitting parallel to the five-rung ladder the article describes.
In March 2026, METI published the final establishment policy (seido kōchiku hōshin 制度構築方針, the design document for the scheme) for a new initiative called the SCS (Supply Chain Security) Evaluation Framework (サプライチェーン強化に向けたセキュリティ対策評価制度). Full program launch for the ★3 and ★4 tiers is targeted for the end of FY2026, roughly March 2027. The evaluation criteria draw explicitly on NIST CSF 2.0 across six domains: governance, supplier management, risk identification, defense, detection, and response/recovery.
SCS is the scheme large Japanese prime contractors are expected to start writing into their procurement requirements. If you sell today to a Toyota, NTT, or Mitsubishi subsidiary that asks for ISMS or P-mark, in two to three years they will increasingly ask for your SCS star rating. That's the explicit intent of the program, not a speculative side effect.
SECURITY ACTION re-enters the story because METI and IPA deliberately made the numbering continuous: ★1 and ★2 under SECURITY ACTION, ★3 through ★5 under SCS. An SME with SECURITY ACTION ★★ has done the substance of the first two rungs; SCS picks up at ★3 with expert-confirmed self-evaluation, then adds third-party evaluation at ★4, for a still-unknown cost.
Two schemes, one continuous numbering. SECURITY ACTION covers ★1–★2; SCS covers ★3–★5. The registries and costs differ, but the ladder is deliberately designed so a ★★ holder sees a next step, not a reset.
SECURITY ACTION ★★ the cheapest way for an SME to get onto the bottom rung of a ladder being built right above it.
Get it even if you have ISO 27001
If you already hold ISO 27001 certification, SECURITY ACTION ★★ is trivially satisfied. The substance required for ★★ — a published policy plus a 25-item self-check — is a subset of what any credible ISMS already produces. The interesting question isn't whether the scheme is redundant; it's what each layer is for.
The three layers do different jobs:
- ISO 27001 → substance. An international, independently audited Information Security Management System. Rigorous, evidence-based, widely recognized outside Japan. What most overseas HQs understand and expect.
- SECURITY ACTION ★★ → local visibility. A locally legible signal. Japanese SME customers, procurement teams, and trading partners recognize the ★★ logo on a website footer in a way they often don't recognize an ISMS registration number. The ISO 27001 audience and the SECURITY ACTION audience in Japan are not always the same people.
- SCS ★3 and above → procurement-ready tiered rating. A format built specifically for supply-chain-facing evaluation, with expert-confirmed or third-party-validated ratings that primes can compare across suppliers. It takes the substance of an ISMS and converts it into the form a Japanese prime contractor's procurement team can consume.
If ISO 27001 is done well, SECURITY ACTION ★★ is an afternoon, and SCS ★3 — 25 or so items, most of which map to ISO Annex A controls — is mostly a reformatting exercise.
What we're doing at eSolia
We're working through the same sequencing question our clients face. Here's where we are:
- In flight — ISO/IEC 27001 certification. Our four-tier ISMS is built; secure development, access control, and risk management procedures are in place; Stage 1 audit is within our planned window. We're treating ISO 27001 as the substance foundation for everything above it.
- Declared — SECURITY ACTION ★★. With our gBizID Prime account in place, we've self-declared ★★ via the new IPA management system and added the ★★ logo to our site. Because the substance bar is below what our ISMS already covers, this was a formatting step rather than a new workstream.
- FY2027 roadmap — SCS ★3. We'll run an SCS ★3 gap check once METI publishes the operational guidance (gaidansu shiryō ガイダンス資料), close any evidence-format gaps, and engage a Registered Information Security Specialist (RISS, tōroku sekisupe 登録セキスペ) for expert confirmation. Target submission is Q2 2027.
- Deferred — SCS ★4. ★4 adds third-party evaluation on top, including onsite audit and technical verification. We're deferring until a specific client contract triggers it.
To make the substance reuse cleanly across layers, we maintain an internal control crosswalk that maps ISO 27001:2022 Annex A controls against NIST CSF 2.0 functions and SCS ★3/★4 requirement items. When an ISMS document is revised, we update the crosswalk, which keeps our ability to regenerate SCS-format evidence from the ISMS source of truth — not as a second, independently-maintained store.
This is the pattern we suggest to clients going through the same decision: treat the ISMS as the evidence source, treat SECURITY ACTION as a declaration exercise, and treat SCS as a formatting exercise against the ISMS — not as three parallel compliance stores.
What this means for you
What you should do depends on where you're starting from.
- If you have no formal posture today. SECURITY ACTION ★1 or ★2 is a decent starting point, and nothing more prestigious is blocking it. It is free and quick to do after you have gBizID Prime, and will be publicly visible. It also unlocks eligibility for Japan's IT Introduction Subsidy (IT dōnyū hojokin, IT導入補助金) for most applicant categories.
- If you have ISO 27001, or are certifying. Add SECURITY ACTION ★★ as a formality. An afternoon of work; gives you a signal Japanese SME buyers understand. Next, start watching SCS.
- If you sell into Japanese enterprise supply chains. SCS is the one to watch. Expect requests from FY2027. An ISO 27001-grounded ISMS plus SECURITY ACTION ★★ puts you in a strong position to reach SCS ★3 inside a quarter of format work. Reaching ★4 is a separate, larger investment that you should plan only when a contract triggers it.
- If you're in a regulated sector. Different frameworks apply on top — FISC for financial services, MHLW guidelines for healthcare, NISC/NCO common standards for government-facing work. Our companion primer lists the main ones.
The Japanese procurement conversation is shifting from "are you ISMS-certified?" toward "what's your SCS star?" The time to sequence the layers is before your first large Japanese prime asks the question.
Work through it for your own business
We've published a short companion worksheet that translates the framing in this article into a specific action plan — a scorecard, a path identifier, and a 90-day / 12-month roadmap per path.
Japan Security Framework Readiness Worksheet (English / 日本語)
Frequently Asked Questions
Is SECURITY ACTION a certification?
No. SECURITY ACTION is a self-declaration scheme run by IPA, not an audited certification. Companies publicly commit to specific security behaviors and display a logo. Privacy Mark (Pマーク) and ISO 27001 occupy the verified-certification slot in Japan. SECURITY ACTION sits deliberately below them to raise the baseline for SMEs that would otherwise not engage with security formally at all.
Do I still need SECURITY ACTION if my company has ISO 27001?
You don't need it, but it's worth adding because the two do different jobs. ISO 27001 is substance; SECURITY ACTION ★★ is a locally legible signal that Japanese trading partners, procurement teams, and SME customers recognize. If you already operate a real ISMS, satisfying the ★★ self-check is an afternoon of work.
What is SCS and when will it become a procurement requirement?
SCS (Supply Chain Security Evaluation Framework) is a new tiered scheme from METI, finalized in March 2026. Launch of the ★3 and ★4 tiers is targeted for late FY2026. Large Japanese primes — the Toyota, NTT, and Mitsubishi-class companies at the top of supply chains — are expected to begin writing SCS star ratings into procurement contracts from FY2027 onward.
What changed with SECURITY ACTION on April 1, 2026?
IPA moved SECURITY ACTION signup behind gBizID Prime, the Japanese government's unified business identity system. A representative director (daihyō 代表者) must register for gBizID Prime first, then issue Member accounts to operational staff. The self-declaration itself still takes an afternoon; the upstream step is getting gBizID Prime, which is same-day online with a My Number card or about two weeks by post.
How does SCS ★3 relate to ISO 27001?
The two overlap heavily. Of the roughly 25 items in SCS ★3, the substantial majority map directly to controls already covered by ISO 27001 Annex A and NIST CSF 2.0. For companies with a real ISMS in place, SCS ★3 is mostly a reformatting exercise — producing the SCS evaluation sheet from ISMS evidence — rather than building new controls.
Should an SME pursue SCS ★4?
Only if a specific client contract requires it. ★4 adds third-party evaluation — document review, onsite audit, and technical verification — on top of ★3, which is expensive. ★4 is positioned for IT vendors and companies whose outage would materially disrupt supply chains. Most SMEs should target ★3 first and treat ★4 as a contract-triggered decision.
Does SECURITY ACTION ★★ qualify my business for Japanese IT subsidies?
Yes — SECURITY ACTION ★1 or ★2 is a prerequisite for Japan's IT Introduction Subsidy (IT dōnyū hojokin, IT導入補助金) for most applicant categories. If your SME is applying for that subsidy to offset the cost of tools like Microsoft 365, an accounting package, or endpoint protection, declaring SECURITY ACTION is the cheapest way to become eligible.
Glossary of Japanese terms
For reference, the Japanese terms used in this article and the companion worksheet:
| Term | Reading | Meaning |
|---|---|---|
| セキュリティアクション | sekyuriti akushon | SECURITY ACTION — IPA's two-tier self-declaration scheme |
| 代表者 | daihyō | Representative director — the legally registered senior executive of a Japanese company |
| 管理システム | kanri shisutemu | Management system — in context, IPA's new SECURITY ACTION portal (launched April 2026) |
| 印鑑 | inkan | Personal seal/stamp, registered with the ward office and used as a legal signature |
| 印鑑証明書 | inkan shōmeisho | Seal registration certificate issued by the ward office |
| 住民票 | jūminhyō | Resident registration certificate issued by the ward office |
| 5分でできる自社診断 | gofun de dekiru jisha shindan | IPA's 25-item self-check (literally "5-minute self-diagnosis") |
| 制度構築方針 | seido kōchiku hōshin | Establishment policy — a formal scheme-design document published by METI or another ministry |
| サプライチェーン強化に向けたセキュリティ対策評価制度 | — | Full formal name of the SCS Evaluation Framework |
| ガイダンス資料 | gaidansu shiryō | Operational guidance materials published alongside a scheme |
| 登録セキスペ | tōroku sekisupe | Registered Information Security Specialist (RISS) — IPA national qualification |
| IT導入補助金 | IT dōnyū hojokin | Japan's IT Introduction Subsidy |
| Pマーク | pī māku | Privacy Mark — JIPDEC's privacy-management certification (JIS Q 15001) |
About the Author
Rick Cogley is CEO and Co-Founder of eSolia Inc., a bilingual IT management firm based in Tokyo. Since 1999, eSolia has provided B2B IT services to international companies operating in Japan, bridging Japanese business culture and international IT standards.