Financial Industry Information Systems Center Logo

    The Center for Financial Industry Information Systems (FISC) is a not-for-profit organization established by the Japanese Ministry of Finance in 1984 to promote security in banking computer systems in Japan. Some 700 corporations in Japan are supporting members, including major financial institutions, insurance and credit companies, securities firms, computer manufacturers, and telecommunications enterprises.

    In collaboration with its member institutions, the Bank of Japan, and the Financial Services Agency (a government organization responsible for overseeing banking, securities and exchange, and insurance in Japan), the FISC created guidelines for the security of banking information systems. These include basic auditing standards for computer system controls, contingency planning in the event of a disaster, and the development of security policies and standards encompassed in more than 300 controls.

    Although the application of these guidelines in a cloud computing environment is not required by regulation, most financial institutions in Japan that implement cloud services have built information systems that satisfy these security standards, and it can be very difficult to justify diverging from them. (The latest guidelines, Version 8 Supplemental Revised, issued in 2015, added two revisions relating to the use of cloud services by financial institutions and countermeasures against cyberattack.)

    Microsoft engaged outside assessors to validate that Microsoft Azure and Microsoft Office 365 meet the FISC Version 8 requirements. Microsoft provided evidence of compliance in each of the following areas:

    • Datacenter guidelines for buildings and computer rooms, power, air conditioning, datacenter, and facilities monitoring.
    • Operational guidelines for organizations, training, access control, system development, and auditing.
    • Technical guidelines for measures to improve the reliability of hardware and software, and for countermeasures against security risks including data protection, prevention against unauthorized use, threat detection, and disaster recovery.

    Financial institutions can rely on this evaluation of the compliance of these three areas for the in-scope infrastructure and platform services of Azure and Office 365.

    Frequently asked questions

    To whom do the FISC guidelines apply?

    Banks and other financial institutions in Japan that want to validate their approach to system security, reliability, and auditing, and align with established best practices in Japan, follow the FISC guidelines.

    Where can I get more information on Version 8 of the FISC requirements?

    The FISC has published two reports from its Council of Experts:

    Where can I get the details of Microsoft's responses to the FISC framework?

    A copy of the completed assessment framework is available to customers who have signed a nondisclosure agreement with Microsoft by contacting their account representative. Potential customers can make a request at

    You can also see security references (in Japanese) from third parties who have evaluated the FISC compliance of Microsoft cloud services.

    Which Microsoft cloud services are in scope for FISC?

    Covered services include:

    • Azure: Virtual Machines, Cloud Services, Batch, Web Apps (formerly Web Sites), Mobile Apps (formerly Mobile Services), Notification Hub, Storage, SQL Database, HDInsight, Virtual Network, Traffic Manager, ExpressRoute, Service Bus, BizTalk Services, Active Directory, Multi-Factor Authentication, Rights Management Service, Media Services, and Scheduler.
    • Office 365 detailed list.

    Can I use Microsoft’s responses to this framework in my organization’s qualification process?

    Yes. However, although Microsoft responses to this framework are confirmed compliant by third parties, customers are responsible for validating the compliance of solutions they have implemented on Azure or Office 365.

    Office 365

    Helpful information

    Conformance with this framework is not required by regulation, and not audited or otherwise validated by the FISC.