Information security policies

Advances in IoT are connecting more and more items and types of information, bringing new value to society. Unfortunately, threats such as cyber attacks are being carried out more skillfully each day, and there is an ever-present threat that company information, customer details and other private information will be leaked. Attacks like these stand in the way of sustainable growth of companies, and it is critical that these risks are managed.

With this in mind, Aisin has established AISIN Group Information Security Basic Policy. Information assets that are entrusted to us by customers and trading partners or are related to the group‘s business activities are vital assets of AISIN Group, and we carry out systematic, ongoing information security measures to protect them.

Framework for promotion of information security

Aisin CSDO*1 is responsible for establishing structures such as information strategies and IT investment plans based on our business strategies, and holds responsibility and authority for execution and operations related to information security and privacy throughout AISIN Group. Under our CISO, we have established the GA-CSC*2 as a specialist security organization to protect the company from risks such as cyber attacks and unauthorized actions by employees, and are carrying out security activities throughout AISIN Group. Information security policies and measures are proposed by the Consolidated Risk Management Committee to improve information security throughout AISIN Group. Major security incidents that could cause issues such as stopping production are immediately reported to our CSDO and departments involved in risk management, and investigations, analysis and countermeasures are carried out.

  • CSDO: Chief Software & Digital Officer
  • GA-CSC: Global AISIN Corporation Security Center

Framework for promotion of information security

Framework for promotion of information security
Framework for promotion of information security
  • Business continuity planning

Information security initiatives

Aisin centralizes the whole group‘s measures at its head office, and works to carry out security measures against the increasingly agile and advanced cyber attacks and methods for leaking internal information that are occurring, and privacy measures that comply with the laws of each country. Security measures include the establishment of security guidelines according to standards such as ISO27001/27002 and NIST, customers‘ requirements and the guidelines of the Japan Automobile Manufacturers Association, and the stipulation of measures to strengthen and enhance our organizations, human management, technical measures, physical management and incident and accident framework to ensure information security. The status of measures in the guidelines throughout the group is inspected and reported to executives to maintain and improve information security throughout the group on an ongoing basis. In May 2021, we established a PSIRT in GA-CSC to work on automotive security measures.

We are members of AUTO-ISAC in Japan and the USA. We collect information on risks that have occurred in the industry and use this to implement activities in our in-house development and carry out initiatives according to ISO21434 and WP29. Privacy measures are carried out throughout the group to comply with the laws in each country, such as GDPR. As advances in DX accelerate, personal information is needing to be transferred between countries. Aisin has concluded a group-wide SCC agreement that makes it possible to transfer personal information throughout the domestic and overseas arms of the group.

We will continue to strive to handle personal information securely, training and communicating with all of our employees with a focus on the laws of each country.

Security guidelines

Management item Details of measures
Organization Implementation frameworks, rules, procedures
Education Education, awareness-raising, training
Technical measures Asset management, access control, networks, etc.
Physical management Facility and area control
Incident and accident framework Reporting framework, rules

Training and awareness-raising activities

  • 1. Training at each level—when starting, promoted, etc. (FY2021: 1,500 persons)
  • 2. Onboarding training for events such as overseas posts, business travel, etc.
  • 3. Training for all employees on handling suspicious emails (once per year)
  • 4. Awareness-raising activities through Information Security Month (once per year) and Group newsletters (once per month)