Security
Development of an Information Security Management System
The Dentsu Group Basic Policy for Information Security has been formulated in order to protect critical information, including personal information held within the dentsu Group, or received from clients. In addition, at dentsu Japan, a strict information security management system is in place, headed by the Chief Information Officer (CIO).
At Dentsu, the Dentsu Head Office in Tokyo received BS 7799-Part 2:2002 certification for information security management system in 2003, which was expanded to the entire company when the Kansai and Chubu offices received the same certification in 2005. Subsequently, approximately 50 companies within the dentsu Group in Japan obtained ISO/IEC 27001:2005 and JIS Q 27001:2006 certification in 2005, followed by Dentsu in 2007. In 2019, the group certification for the dentsu Group in Japan was integrated with Dentsu's certification. In 2025, the certification standards were updated to the latest versions, ISO/IEC 27001:2022 and JIS Q 27001:2023.
Through these initiatives we strive to respond flexibly across the entire Group to the ever-changing and increasingly sophisticated environment relating to information and communication technology (ICT), implementing stringent information security management.
Dentsu Group Basic Policy for Information Security
In all business domains the dentsu Group engages in information security management to protect the critical information held by the Group.
| 1. Compliance with Laws | Based on requests from our stakeholders, including clients and other business partners, we will properly address information security management to ensure compliance with the relevant laws and regulations. In particular, personal information will be managed in a strict manner. |
|---|---|
| 2. Strict Information Management | We will manage information strictly to prevent any leakage, loss, damage or misuse of information such as confidential client information and personal information. We will share such business information only among employees and group companies with the appropriate clearances. In selecting our subcontractors, we will fully consider how they are addressing information security. |
| 3. Maintaining & Improving Achievement Level | We will maintain the current security level which we have already achieved and improve it through our PDCA cycle activities. We will also enlighten and educate all of our employees, from executives downward, about information security so that they can acquire the appropriate knowledge and judgment. |
| 4. Adaptation to Environmental Changes | We will flexibly adapt to the environmental changes in our group's business areas, information assets handled by our group, and the information and communication technology (ICT) field, and will update our information security management system and rules accordingly. |
| 5. Threat Monitoring and Response | To protect information assets from both internal and external threats, we will implement necessary security monitoring for prevention. Should an information asset breach occur, we will strive to minimise damage through swift response. |
| 6. Development of Internal Regulations | We will establish internal regulations based on the Information Security Policy and clearly define guidelines not only for the handling of personal information but also for information assets as a whole. We will also make it widely known, both internally and externally, that we take a strict stance toward incidents such as information leakage. Furthermore, all employees are responsible for complying with these regulations and acting accordingly. |
| 7. Post-Incident Response Measures | We prepare for potential incidents by establishing incident response procedures and conducting incident response training. |
