情報セキュリティマネジメント試験 — 管理者向けセキュリティ

The Information Security Management Exam (SG) is a METI-certified, IPA-administered national exam at "Level 2" of the Information Processing Engineer Examinations. It is the same level as FE but targets a different audience: while FE targets aspiring engineers, SG asks for the knowledge needed by non-technical managers and business operators (general users and departmental managers) when they manage information security from their position.

SG, like FE, consists of Subject A and Subject B. Subject A is four-choice multiple choice with 48 questions in 60 minutes. The scope centers on information security basics, management, technology, and related laws, with some basic Technology-domain content (network, database) also asked. Subject B is long-form reading comprehension with 12 questions in 90 minutes. Case problems based on practical scenarios (incident response, internal fraud, supply chain attacks) are asked.

The passing criteria require 600/1000 or higher on each of Subject A and Subject B. The fee is 7,500 yen including tax. The published pass rate is about 50%, relatively high for a national qualification. This results from consciously designing for "a difficulty level easy for managers and business operators to challenge."

SG's scope is divided into four major areas. Area 1, "Information Security Basics," covers the CIA triad (Confidentiality, Integrity, Availability), the seven elements adding authenticity, accountability, non-repudiation, and reliability, the relationship between threats (human-caused/natural) and vulnerabilities, and the relationship between information assets and risk.

Area 2, "Related Laws," covers laws enterprises must comply with: Personal Information Protection Act (2022 amendment, mandatory leakage reporting), Unauthorized Access Prohibition Act (theft of IDs/passwords and abetting acts), Unfair Competition Prevention Act (the three trade-secret requirements), Copyright Act, Basic Cybersecurity Act, etc. Definitions of "personal information," "special care-required personal information," and "anonymously processed information" are frequently asked.

Understand the overall picture of the Information Security Management System (ISMS, ISO/IEC 27001 compliant). Grasp the framework of control measures: information security policy, asset management, access control, physical/environmental security, incident management, business continuity management (BCP/BCM). Continuous improvement via the PDCA cycle (Plan-Do-Check-Act) is also frequent.

The risk assessment procedure is: (1) Asset identification: list out information assets to protect. (2) Threat/vulnerability identification: enumerate threats (malware, insider fraud, natural disasters) and vulnerabilities (unpatched, weak authentication) for each asset. (3) Risk analysis: calculate risk value from occurrence frequency and impact degree. (4) Risk evaluation: judge whether the risk is acceptable. (5) Risk response: choose from four options — reduce, avoid, transfer (insurance), or accept.

SG is a management-oriented exam, but basic technology is also asked. In Authentication: multi-factor authentication (MFA/2FA), biometric authentication, single sign-on (SSO), public-key infrastructure (PKI), and digital certificates. In Cryptography: understand symmetric-key (AES), public-key (RSA, elliptic curve), hash (SHA-256), and digital signature mechanisms. In Malware Countermeasures: distinguish characteristics of viruses, worms, Trojan horses, ransomware, and spyware, and grasp various countermeasures (pattern matching, behavioral detection, sandboxing).

Standard study hours are about 100–200 for beginners. The "SG Past Question Dojo," official textbooks, and commercial texts are standard resources. After passing SG, those with managerial orientation can target AP (selecting security + service management + system audit in the afternoon); those with technical orientation should target FE → Registered Information Security Specialist (SC, Level 4).