ISMAP Information Security Audit service and ISMAP Preliminary Assessment service at the preparatory stage

What is ISMAP?

The “Information system Security Management and Assessment Program” (ISMAP) aims to ensure the security level of government cloud service procurement by evaluating and registering cloud services that meet the government's security requirements in advance, thereby contributing to the smooth introduction of cloud services. In the future, in principle, each government agency procures cloud services from services registered with ISMAP.

Cloud service providers request audit institutions registered in the “ISMAP Audit Institutions List” to perform information security assessment of ISMAP, and receive information security assessment of ISMAP based on the “ISMAP Standard Assessment Procedures”, etc. regarding the implementation status of information security measures based on ISMAP control criteria. The application for ISMAP registration is submitted after the assessment.

The ISMAP Steering Committee receives an application from cloud service providers that have undergone an information security assessment at ISMAP. They review the compliance with the requirements for cloud service registration applicants, and register the cloud services that they determine are appropriate for registration in the “ISMAP Cloud Service List”.

For more information, please visit the ISMAP portal site. 
ISMAP Overview
*Link to the external website.

Outline of the Service

1. ISMAP Information Security Audit services

DTT LLC conducts procedures such as Inquiry, Inspection, Observation based on “ISMAP Information Security Assessment Guidelines” and “ISMAP Standard Assessment Procedures” 

in response to statements regarding the status of implementation of information security measures based on ISMAP Control Criteria by cloud service providers, and prepares and provides an assessment results report for the cloud service providers that aim to apply and be registered in the “ISMAP Cloud Service List”.

The purpose of the Services is to conduct procedures in accordance with the “ISMAP Information Security Assessment Guidelines” and “ISMAP Standard Assessment Procedures” and to report the results of the procedures with the facts, and not to provide or report assurance of conclusions derived from the results of the procedures.

(Please refer to "ISMAP Information Security Assessment Guidelines" (external website) - Chapter 1: General Rules 1.2: Features of Assessment in This Program, for details of the Services.)

2. Preliminary Assessment services in the preparatory stage for application for “ISMAP Cloud Service List”

DTT LLC provides preliminary assessment services in the preparatory stage for the cloud service providers to apply for registration of their cloud services to the “ISMAP Cloud Service List”.

Followings are its main services in the preliminary assessment,

• Identifying deficiencies in the statements (including control descriptions) and other necessary documents for the registration
• Providing comments on reviews in the documents

Why Deloitte

For many years, DTT LLC has been providing third-party assessment services for information security and information system management systems, as well as Service Organization Control (SOC) Assurance Reporting services, which enable it to earn an extensive knowledge and experiences in the implementation of information security measures. DTT LLC is also part of Deloitte Global Network and has a large number of professionals with global knowledge and experiences.

This ISMAP service is provided by its professionals who possess not only the rich knowledge and experiences mentioned above but also knowledge of cloud computing and information security related certifications that meet the standards of the Program. DTT LLC has been registered as an "ISMAP Audit Institution" (external website) since August 20, 2020.