I run a small IT services firm in Tokyo. While working through ISO/IEC 27001 certification, I stumbled onto SECURITY ACTION — a free self-declaration security scheme run by Japan's IPA. If you operate an SME in Japan and you care about security, you should know this exists. Two rules changes in 2026 make it more relevant than it looked a year ago.
What SECURITY ACTION is
A self-declaration scheme, not a certification. Two tiers:
- ★1 — commit publicly to working through the IPA's SME security guidelines.
- ★2 — publish a basic info-security policy, complete the IPA's 25-item self-check (5分でできる自社診断).
Both are free, self-declared, and renewed annually. The IPA posts your declaration to their registry and gives you a logo for your website.
International context: SECURITY ACTION sits roughly where the UK's Cyber Essentials sits — low-friction, government-backed, two-tier, SME-focused. IPA developed it independently, so it's not officially modelled on Cyber Essentials, but practitioners discuss them together. Underneath the wrapper, the substance maps to ISO/IEC 27001 (known in Japan as JIS Q 27001) and NIST CSF — the same international standards the new SCS scheme is built from.
The April 2026 change: gBizID Prime required
Until April 1, 2026, you declared via a lightweight online form. Now the whole scheme runs on gBizID — the government's unified business identity system. You specifically need gBizID Prime, which is tied to the company's representative director (daihyō).
Prime has two application paths (both documented in the Digital Agency's GビズID Quick Manual for 法人代表者, v1.4 March 2026, page 1 アカウント体系 table):
- Online (same-day). Daihyō's My Number card + PC + smartphone with the GビズID app. You start on a PC at gbiz-id.go.jp, install the app via the portal's QR code, NFC-read the card, enter the signing-certificate PIN, and the electronic signature authenticates your submission. Per Digital Agency: 最短即日 (same day at fastest).
- Postal (~2 weeks). Daihyō's registered personal 印鑑 + fresh 印鑑証明書 from the ward office + printed application form + mail to the Digital Agency. Per Digital Agency: 原則2週間以内 (within 2 weeks).
Once Prime is issued, the daihyō provisions gBizID Member accounts for other staff, who can then do the SECURITY ACTION declaration and most other government-facing work.
gBizID is quietly becoming the identity layer for B2G in Japan. If you run a company here and don't have Prime yet, getting it is worth doing regardless of SECURITY ACTION. The real friction for a foreign daihyō is the prerequisite under both paths: online needs a My Number card (住民票 required); postal needs a registered 印鑑 + 印鑑証明書 (also 住民票 required). The wall is upstream of gBizID, not inside it.
Why it matters now: SCS is coming
In March 2026, METI finalised the design for a new Supply Chain Security (SCS) evaluation scheme, targeting program launch around March 2027. Five tiers, requirements drawing on NIST CSF 2.0. The explicit intent: large Japanese prime contractors (the companies at the top of a supply chain that hold the customer contract and push requirements down to their subcontractors) will start writing SCS star ratings into procurement requirements.
The five-tier pyramid — two schemes sharing one numbering:
- ★5 · SCS — frontier tier, specs not yet published.
- ★4 · SCS — third-party evaluation (document + onsite + technical).
- ★3 · SCS — expert-confirmed self-evaluation with a 登録セキスペ signing off.
- ★2 · SECURITY ACTION — published policy + 25-item self-check.
- ★1 · SECURITY ACTION — public commitment to improve.
Two registries, two schemes, but one continuous ★ scale: SECURITY ACTION (IPA) covers ★1–★2; SCS (METI) covers ★3–★5. The continuity is deliberate — METI designed the numbering so a SECURITY ACTION ★★ holder sees a next step rather than a reset.
Honest take
It's not a certification. Nobody audits your declaration. The logo means "this company publicly committed," not "this company was independently verified." Pマーク and ISO 27001 occupy the verified slot.
If you have ISO 27001, ★★ is trivially satisfied. The substance for ★★ — a published policy and a 25-item checklist — is a subset of any credible ISMS. My firm has its ISMS documentation in flight for certification, so ★★ is a formatting exercise against evidence we've already written — we'll roll into it the moment gBizID Prime lands.
But SECURITY ACTION fills a niche ISO 27001 doesn't. Japanese SMEs, consumers, and procurement teams recognise the ★★ logo. They often don't recognise an ISMS registration number. It's a locally legible signal, and carrying both costs nothing.
It's also the cheapest path to the IT Introduction Subsidy (IT導入補助金). ★1 or ★2 is a hard prerequisite for that program.
Practical steps
- Pick a gBizID Prime path: online (same-day, needs My Number card + smartphone with the GビズID app) or postal (~2 weeks, needs registered 印鑑 + 印鑑証明書).
- Apply via gbiz-id.go.jp — the portal walks you through whichever path you chose.
- Issue gBizID Member accounts from the Prime admin console.
- Log into the IPA 管理システム and walk the declaration wizard.
- Add the ★ or ★★ logo to your website per IPA guidelines.
- Renew annually (free).
The SECURITY ACTION work itself is an afternoon. The long pole is Prime if you don't already have it.
Bottom line
If you run a small company in Japan and haven't declared SECURITY ACTION ★★, there's very little reason not to. Free. Afternoon. The gBizID Prime account is something you'll need anyway. And the supply-chain-security wave arriving via SCS will make having ★★ already in place worth more than the cost to get it.
Originally published at cogley.jp
Rick Cogley is CEO of eSolia Inc., providing bilingual IT outsourcing and infrastructure services in Tokyo, Japan.
Top comments (0)