In July 2024, FUJIFILM Business Innovation obtained ISO/IEC third-party assessed certification, becoming one of only 13 companiess*1 in the world with this certification.
With the spread of the Internet, information security has become more important than ever in the world.
Nowadays, security has become more complex and must be ensured not only for firmware and hardware but also for the entire supply chain. ISO/IEC20243 requires quality assurance from all business partners in the supply chain. We spoke to members of related departments who boldly took on the challenge of obtaining this certification.
- *1: As of December 2024
Kitazawa: We have been working on security measures for products such as multifunction printers for many years, dating back to the days of the former Fuji Xerox, which I think many people are aware of. Specifically, by implementing measures such as equipping multifunction printers with functions to prevent unauthorized access and interception and tampering of communication data, we have achieved the highest rating of AAAis in the NIST SP 800-171/172*2 (JaSRO)*3 evaluation, as well as the ISO/IEC 15408*4 certification and others. On the other hand, security measures not only within the company but also throughout the supply chain, including parts and software, can be said to be a new issue in the sense that its importance has started to attract attention in the past few years.
- *2: A guideline of security standards established by U.S. governmental agencies.
- *3: AAAis for the level of compliance with NIST SP800-171/172 by JaSRO.
- *4: An international standard for design and operations of information technology security with MFPs.
Doi: The background to this is the increasing number of malicious cases globally in which malicious programs are embedded into product software distributed in the supply chain, resulting in attacks on the information systems of customers who use the final products. The ISO/IEC20243 certification which we have obtained is an international standard aimed at reducing the risk of unauthorized parts and programs being replaced or embedded, as well as counterfeit products, in the product supply chain. By obtaining certification, it is possible to maintain and strengthen measures against security risks hidden throughout the supply chain.
Kitazawa: Some manufacturers were off to a lead in acquiring ISO/IEC20243 certification. In the future, as FUJIFILM Business Innovation expands its business beyond the Asia-Pacific region to the rest of the world, we believe it is important to have a system that can guarantee international security standards, so we moved to obtain certification.
Okochi: Although the requirements necessary to obtain certification are clearly specified by the certification issuing body, there is no specific definition of how to achieve each requirement, so we need to consider measures that suit our company’s processes. This was not easy. Therefore, we decided to first clarify the interpretation of each requirement, then compare it with existing supply chain processes to confirm whether the requirements are met, and review or add to the process where improvements are needed.
We proceeded in a two-step process by systematically organizing the content, conducting self-certification based on our own self-assessment, and then stepping up to third-party assessed certification. One of the characteristics of this initiative is that we conducted a detailed threat analysis to find out what kind of security risks could be expected in the supply chain of our company and our suppliers, inspected our processes based on that information, and took the necessary countermeasures. If the risks are not sufficiently identified, there would be omissions in countermeasures, so involved staff held many discussions.
Doi: Internally, collaboration with procurement and production departments was essential. These departments are working to improve QCD (quality, cost, delivery) as their top priority daily, so it feels like an increased workload to simply tell them “Please change or add processes to obtain security certification.” Therefore, in order to prevent the mixing of unauthorized parts and counterfeit products, we mutually discussed whether it is possible to meet the certification requirements by combining existing processes without taking excessive measures, and we worked with a policy of minimizing changes and additions to processes. The same applies to our suppliers, as we cannot force them to act excessively by prioritizing only our requests and logic. Thanks to our suppliers’ understanding of our stance through many years of sustainable procurement*5 initiatives, they cooperated with us in our activities to obtain this certification, but we have made every effort to minimize the workload on suppliers.
- *5: Procure raw materials and parts from suppliers while focusing on the environment, human rights/labor, safety and health, corporate philosophy, etc.
For example, when transporting parts to a supplier or our company, there is a security risk that a third party could open the packaging and tamper with the goods during the process. Therefore, the certification requirements recommended the use of packaging stickers that leave traces when removed, so that irregularities can be detected immediately. However, if this method is applied as is, it will result in significant costs and work hours for suppliers. Therefore, we decided to present the logic that our production bases have a system in place to essentially detect irregularity hidden in parts through quality inspections that are conducted when receiving parts, manufacturing multifunction printers, and before shipping.
Tanihata: I believe that the difficulty with security measures is balance. This applies to both the multifunction printers themselves and the supply chain. The more thoroughly security measures are pursued, the less convenient it will be for customers using the multifunction printers, and the more likely it will be a burden to suppliers and procurement/production departments, so this presents a dilemma. I realize every day that it is difficult to find the ideal balance within these measures.
On the other hand, there is no doubt that social needs for stronger security are increasing, and laws and regulations are also becoming stricter. Personally, I find the rewarding part of this job to be thinking about the best countermeasures to deal with these dynamic changes. We believe that FUJIFILM Business Innovation needs to further evolve its efforts while keeping an eye on trends in the PC and server industries, which are implementing advanced security measures.
Kitazawa: I would like to contribute to the expansion of the global market from a security perspective. To this end, we consider it a challenge to effectively communicate our security measures, including the acquisition of this certification, to our customers as part of the value we provide.
Doi: Since our company has many products other than hardware, such as software and cloud services, various security measures are required. In addition to firmly implementing these security measures, we would like to strengthen our appeal to customers so that security measures can lead to an increase in the value of our products.
Okochi: I believe that our company is a top runner in security measures in the multifunction printer industry. However, maintaining that position is not easy. I would like to make FUJIFILM Business Innovation a stronger company by constantly reflecting new ideas and technologies regarding security in our products and supply chain.
Tanihata: We will continue to develop products while always keeping abreast of the latest technologies and competitive trends, so that we can deliver value in the security field that our sales staff will want to actively introduce to our customers.
PDF: 739KB