Information security awareness promotion initiatives for SMEs

While there is growing concern over cyber-attacks, Japan’s small and medium-sized enterprises (SMEs) are less prepared for such threats. To help them keep up with evolving cybersecurity needs, IPA developed “Information Security Measures Guidelines for Small and Medium-sized Enterprises” in 2009 and started SECURITY ACTION program in April 2017.

The SECURITY ACTION program encourages SMEs to raise their information security awareness and commit to achieving two-tier goals of their information security readiness by implementing basic security measures. SMEs are required to join this program before applying for the IT introduction subsidy.

SECURITY ACTION One-Star:

To qualify, a company must declare commitment to implement “Information Security 5 To-dos” as defined in the appendix to “Information Security Measures Guidelines for Small and Medium-sized Enterprises”.

“Information Security 5 To-dos”:

1. Always keep your OS and software up to date
2. Install anti-virus software
3. Strengthen your passwords
4. Review data/file sharing settings
5. Stay updated on possible threats and attacks

SECURITY ACTION Two-Star:

To qualify, a company must enhance its information security readiness by using “5-Minute Information Security Self-Assessment”, which is the appendix to “Information Security Measures Guidelines for Small and Medium-sized Enterprises”. The process will complete once the company establishes and publicly discloses its information security policies as key principles.

“Information Security Measures Guidelines for Small and Medium-sized Enterprises” includes “Information Security 5 To-dos” as Appendix 1 and ”5-Minute Information Security Self-Assessment” as Appendix 2.

Please note that the aforementioned documents are not the latest version.
The latest version (version 4.0, published in March 2026) is only available in Japanese.