Note: This document is a tentative translation of “The Guidance on Operations of Information
Security Measures of Government Agencies and Related Agencies” for purpose of reference
and its accuracy is not guaranteed. Any entity does not accept responsibility for any
disadvantage derived from the information described in the document.
The Guidance on Operations of Information Security Measures of Government Agencies
and Related Agencies
August 31, 2016
Revised July 25, 2018
The Cybersecurity Strategic Headquarters
1. Objective of this Guidance
This guidance stipulates necessary matters for the following actions in relation to the application
of standards related to cybersecurity at the national administrative organs stipulated in Item 2,
Paragraph 1, Article 25 of the Basic Act on Cybersecurity (Act No. 104 of 2014; hereinafter
referred to as “the Act”), as well as Incorporated Administrative Agencies (referring to
corporations regulated in Paragraph 1, Article 2 of the General Rules for Incorporated
Administrative Agencies (Act No. 103 of 1999); hereinafter, the same shall apply) and Designated
Corporations (referring to designated corporations regulated in Article 13 of the Act; hereinafter,
the same shall apply) (hereinafter referred to as the “Agencies”): formulation of draft versions of
the Common Model of Information Security Measures for Government Agencies and Related
Agencies (decided by the Cybersecurity Strategic Headquarters; hereinafter referred to as the “the
Common Model”) and the Common Standards for Information Security Measures for
Government Agencies and Related Agencies (decided by the Cybersecurity Strategic
Headquarters; hereinafter referred to as “the Common Standards”) by the National center of
Incident readiness and Strategy for Cybersecurity (hereinafter referred to as the “NISC”);
formulation of the Guidelines for Establishing Agencies’ Standards for Information Security
Measures (decided by the NISC; hereinafter referred to as the “Guidelines for Establishing
Standards”); application of information security measures at Incorporated Administrative
Agencies and Designated Corporations, and the application of information security measures for
the information systems commonly used among the multiple Agencies (excluding information
systems where everything from the hardware to applications are managed and operated by a single
agency or entity; hereinafter referred to as “common platform systems”).