Sustainability

Information Security

Information Security

Information Security

Information Security Policy
ZOZO Group recognizes that it is an important responsibility to properly protect the information assets held by the Group, including information entrusted by customers using its services, from various threats to information security. Based on this philosophy, the Group has formulated a basic policy for information security, and by implementing this policy, we declare that we will actively work to establish, operate and maintain an information security management system.

  1. ZOZO Group will comply with laws, regulations and other codes of conduct concerning information security.
  2. Through ISMS's activities, we will take organizational, human, physical and technical safety control measures, engage in information security measures, and firmly establish them.
  3. ZOZO Group will continuously review and improve its management system for information security in light of changes in social and environmental conditions.

May 28, 2021
ZOZO, Inc.
Representative Director, President & CEO
SAWADA Kotaro

Efforts to provide safe services

Information security training
To raise awareness of information security among all ZOZO employees, we conduct training on information security through e-learning (held three times during fiscal year 2024).

Personal information management system
We ensure that all employees are thoroughly informed that any violation of our Privacy Policy—such as the accidental leakage, loss, or damage of personal information—will be addressed strictly. 
If such an incident occurs, we will take appropriate action in accordance with our Employment Regulations, including disciplinary measures.
Furthermore, we do not lend, sell, or otherwise provide personal information to third parties for any purpose other than the execution of business or services.

Vulnerability Assessment and Cyber Attack Simulation
ZOZO Group conducts vulnerability assessments and cyber attack simulations by an in-house organization and third-party institutions to provide safe and secure services. We also create incident response procedures for employees and review business continuity and crisis management plans and incident response procedures once a year.

Appropriate Management of Outsourced Business
We enter into contracts containing confidentiality clauses with business contractors, and when outsourcing operations involving the handling of personal information, we execute memorandums with contractors in accordance with the Personal Information Protection Act.

Audit System
We have established an internal audit system to verify the effectiveness and compliance of internal regulations and ISMS, and we also conduct external audits by an independent third-party organization. By conducting both internal and external audits annually, we confirm that all employees are adhering to the information security policy.

Achieving ISMS Certification

Under our information security policy, we have undergone audits by an independent third-party organization and obtained certification for our Information Security Management System (ISMS) based on the international standard ISO/IEC 27001:2022 and the Japanese national standard JIS Q 27001:2023, covering all company-wide operations and services.
*ZOZO and  ZOZO NEW ZEALAND are covered.

Certified Standards
ISO/IEC 27001:2022 / JIS Q 27001:2023

Registration No.
IS 749678

IS 749678 / ISO 27001
IS 749678 / ISO 27001

Scope of Registered Certification
Operations described below for web-based services for BtoB and BtoC

  • Planning, development and operation
  • Customer Support
  • Operation of logistics centers
  • Technological development, R&D
  • Production and production support for apparel products

Date of Certification
July 15, 2021

Expiration Date
July 14, 2027

Examination and Certification Institution
BSI Group Japan K.K.

Threat Intelligence Collection and Security Event Monitoring

We centrally manage logs of PCs used for business and SaaS using SIEM (Security Information and Event Management) and continuously monitor for suspicious communications. We have also established an information sharing system with external parties to continuously collect information on cyber attacks occurring at other companies (cyber threat intelligence) and utilize the traces of such attacks (IOC information) in our own log analysis to proactively catch threats. Through these initiatives, we are striving to further improve the safety of our company.

Continuously monitoring of phishing sites

In order to ensure that ZOZOTOWN customers can use our services more safely, we continuously monitor phishing sites that are trying to trick ZOZOTOWN customers and take down the sites (disable the phishing sites by shutting them down, etc.). We also continuously monitor phishing e-mails, collecting information from them and responding to the latest threats.

Data Leak Prevention

Preventive Measures (precautions)
・Strengthening access control: Implement the principle of least privilege (grant access only to those who need it), multi-factor authentication (MFA), and monitor login history.
・Encrypting data: Encrypt confidential data when storing or transmitting it, and restrict the use of USB drive and external storage devices.
・Strengthening network security: Introduction of firewalls, IDS/IPS (intrusion detection and prevention systems), and use of VPN (virtual private networks).
・Applying security patches: Regular updates of OS and software, and regular vulnerability assessments.
・Implementing backups: Regularly backing up data and storing it offline, and implementing version control as a ransomware countermeasure.
・Conducting security training: Provide training on phishing scams and social engineering, and enhance employees' information security awareness.
・Conducting incident response training: Conduct exercises simulating cyberattacks and establish rapid response procedures.

Post-incident measures (response measures)
・Containing damage quickly: Identify the scope of damage and isolate affected systems.
・Investigating damage: Conduct log analysis and forensic investigations to identify the intrusion route and scope of impact.
・Notifying relevant parties: Promptly explain the situation to customers and business partners, and report to regulatory authorities (such as the Personal Information Protection Commission) as necessary.
・Preventing further damage: Change passwords for compromised accounts, delete or recover affected data.
・Implementing preventive measures: Review security measures, introduce new security solutions, and provide employee training and enforce stricter rules.

ZOZO CSIRT

ZOZO CSIRT is an organizational CSIRT(Computer Security Incident Response Team of ZOZO Group. It is a member of the Nippon CSIRT Association.

Background and Background of Establishment
ZOZO Group has been striving to establish and thoroughly implement information management for many years. ZOZO CSIRT was established in April 2019 and joined the Japan Seasat Council in July of the same year, with the aim of enhancing information security initiatives as well as operating teams to respond to diversifying incidents, in addition to increasing the number of employees in addition to expanding the service offered.

Activities
ZOZO Group has established a basic information security policy to achieve the objectives of ISMS (Information Security Management System).

Establishment of DPO (Data Protection Officer)

We have established DPO (Data Protection Officer) to ensure the appropriate use of customer data, including privacy. The DPO monitors and advises on the protection of customer data, including privacy, from the planning and development stages of the service, from an objective standpoint independent of the business units.

Privacy Policy

ZOZO Corporation and its subsidiaries and affiliates that adopt this policy and use personal information jointly (the "Group") provide a variety of services businesses (hereinafter referred to as "Services"), including Internet shopping websites.
Our group recognizes the importance of personal information for customers using our services as well as all those who provide personal information to our group.
I hereby declare that I will comply with the laws and other regulations concerning the protection of personal information, establish voluntary rules and systems, and establish, implement and maintain a privacy policy that includes the following matters.

  1. Our Group will comply with the Act on the Protection of Personal Information (hereinafter referred to as the "Act") and other related laws and regulations, guidelines and other norms stipulated by the national government with regard to the handling of personal information and personal information of employees, etc. handled by all businesses. In addition, we will formulate an information management system in accordance with the Japanese Industrial Standards "ISMS conformity assessment scheme" (ISO 27001) to protect personal information.
  2. When acquiring and using personal information, our group will identify the purpose of its use, and will not handle personal information beyond the scope necessary for achieving the specified purpose of use (non-purpose use). In addition, we will take appropriate management measures to avoid non-purpose use.
  3. Our group shall not provide any personal information obtained to a third party with the consent of the person in question, except in accordance with laws and regulations, etc.
  4. When we receive complaints and inquiries about the handling of personal information, we will promptly investigate the facts and respond in good faith within a reasonable period of time.
  5. In order to properly manage personal information acquired, our group will take organizational, human, physical and technical safety measures to prevent the leakage, destruction or damage of personal information and to rectify it. In addition, we will promptly dispose of the personal information of our customers when the storage period specified by law has passed and when we no longer need to handle the personal information of our customers.
  6. In light of changes in social and environmental conditions, the Group will continuously review its personal information protection management system for personal information protection and improve its efforts to protect personal information.

Established September 1, 2006
Revised July 3, 2009
Revised January 31, 2018
Revised on November 29, 2018
Revised on December 1, 2019
Revised on June 28, 2021
Revised on November 5, 2021
Revised on March 30, 2022

SAWADA Kotaro
Representative Director, President and CEO
ZOZO, Inc.
ZOZO Group Privacy Policy