SecureNavi Inc. (Headquarters: Minato-ku, Tokyo; CEO: Tomohiro Izaki), which is DX-ing the "humanities security" domain such as information security certification, compliance with regulations and guidelines, development and operation of internal information security regulations, and audits and reviews, conducted a survey targeting 400 individuals in information security and information systems departments responsible for external risk checks or security reviews of internal systems, to understand the actual state of risk checks (security audits) for outsourced vendors, cloud services, and internal systems.

Report "Survey on the Actual State of Risk Checks in Japanese Companies 2026" here: https://eu1.hubs.ly/H0wDtWs0

Background and Objectives of the Survey

Attacks targeting supply chains and outsourced vendors have consistently ranked high in IPA's "Top 10 Threats to Information Security" [Organizational Edition] for 8 consecutive years. In fiscal year 2026, a security measure evaluation system for strengthening supply chains (SCS evaluation system) to evaluate the security of business partners with common standards is expected to be launched. "How to ascertain the safety of business partners and cloud services" is a pressing issue for many companies today. However, the actual situation on the front lines of risk checks has not been quantitatively discussed until now. This survey revealed a structural reality that cannot be explained solely by company size: "Even with a system in place, we are overwhelmed by the volume and exception handling."

With this awareness, the survey was conducted with the objective of quantitatively clarifying the implementation status, systems, and challenges of risk checks and security audits for outsourced vendors, cloud services, and internal systems. It also focused on differences by employee size and industry, aiming to serve as a benchmark for each company to relatively grasp its own position.

Survey Overview

Report Name

Survey on the Actual State of Risk Checks in Japanese Companies 2026

Survey Objective

To quantitatively grasp the implementation status, systems, and challenges of risk checks/security audits for outsourced vendors, cloud services, and internal systems.

Survey Method

Internet Survey

Number of Survey Respondents

Total: 400 individuals (Those in information security and information systems departments responsible for external risk checks or security reviews of internal systems)

Survey Period

June 9, 2026 - June 10, 2026

Survey Summary

Approximately 40% "Haven't Checked Everything" - Less Than Half Conduct Regular Risk Checks on All Targets

Only 47.8% of companies responded that they are able to conduct regular risk checks and security audits on "all targets," while 39.8% stated they "only conduct them on some targets." The implementation rate varied from 29.8% for small and medium-sized businesses (up to 299 employees) to 74.1% for super-large corporations (10,000+ employees), indicating that the audit system is not keeping pace with the ever-increasing number of outsourced vendors, cloud services, group companies, and internal systems.

The "Correct Answer" for Audits Resides in People's Minds - Judgment Criteria Are Personalized in About 70% of Companies

Only 22.5% of companies have "clear judgment criteria that anyone can use to make decisions." The largest group, 44.8%, indicated "somewhat clear, but with interpretation variations." When combined with "dependent on the担当者's experience and knowledge" and "hardly clarified, requiring ad-hoc decisions," approximately 70% of companies had judgment processes that were influenced by individuals or situations. If the person in charge changes, the judgment can waver, and it becomes difficult to explain "why that conclusion was reached." Such personalization directly leads to governance risks.

"Larger Companies Aren't Necessarily Safer" - Sense of Urgency Peaks in "Mid-to-Large Enterprises," Reverses in Super-Large Corporations

The distribution of "sense of urgency" is noteworthy. The sense of urgency (strongly + somewhat feeling) that "risk check and security audit operations will not be manageable if things continue as they are" does not simply increase with company size. It peaked at 68.3% for companies with 1,000 to 9,999 employees and then reversed to a decrease to 53.4% in super-large corporations (10,000+ employees) (overall was 60.5%). This suggests that the companies feeling the most urgency of "not being able to cope" are those in the "transitional phase of growth" where targets and numbers are rapidly increasing, but a dedicated system is not yet fully established. The peak of danger is not necessarily in super-large corporations.

"Difficult" Means Different Things Depending on Company Size - Challenges Vary in Nature by Company Size

The main challenges differed significantly by employee size. For small and medium-sized businesses, the biggest challenges were "personalization of judgment criteria" (37.5%) and "personnel shortages" (36.5%). For mid-to-large enterprises, it was "a large number of risk acceptance (exception) responses that cannot be managed" (37.3%). For super-large corporations, it was "a high volume of audits that cannot be processed in time" (39.7%). In other words, knowing your company's size is akin to knowing your "type of problem," and the countermeasures (solutions) change with size.

In addition, the report includes a total of 10 questions, such as the number of managed items and frequency of new occurrences by target (outsourced vendors, cloud services, group companies, internal systems), the actual state of risk acceptance (exception) responses, and a comparison of improvement intentions by size. It also contains cross-tabulation results by size and industry.

Download Report "Survey on the Actual State of Risk Checks in Japanese Companies 2026" here:

https://eu1.hubs.ly/H0wDtWs0

Announcement of Report Explanation Seminar

We will be holding an online seminar to discuss the contents of this report in more detail. Koichi Sato, Head of the "2 Lines of Defense" Cloud Business, will provide an easy-to-understand explanation of the key findings of the survey, as well as the latest topics such as trends in attacks targeting supply chains and outsourced vendors, and the SCS evaluation system. Participation is free. Please feel free to join us.

Seminar details and registration here: https://eu1.hubs.ly/H0wDtWq0

Comments from the Person in Charge

Koichi Sato, Head of "2 Lines of Defense" Cloud Business, SecureNavi Inc.

The survey results were, in a sense, as expected. The highest sense of urgency is not among the largest corporations, but in the "mid-to-large enterprises" just before them. Without reaching the scale to establish a dedicated system, the increasing number of targets and exception handling suddenly become a burden. For many companies, this scale is not a temporary phase but a stable state. That is precisely why the current difficulties will not resolve naturally and will continue unless the "design" of the operations is changed.

Ultimately, this is not a matter of individual effort, but a matter of operational "design." Because they are busy with tasks, standards are not established, and because standards are not established, tasks do not decrease. Unless this vicious cycle is broken, simply increasing personnel will not suffice. The desired state can be summarized into three points: "a mechanism that can operate without increasing personnel," "resolution of personalization," and "management of exceptions." The countermeasures for this differ by scale, but the direction is the same.

I believe the true role of the "second line of defense" is not as "workers who process checks," but as "people who design and implement controls." It is to create a system where the entire organization's judgments are aligned, use that system to continuously assess risks, and distinguish between what to accept and what to address. That is the essential role of the second line of defense. The more they are caught up in immediate tasks, the more time they lose to face this role. I hope this report will serve as an opportunity to reframe your company's risk checks from "tasks to be completed" to "activities to manage risk."

About "2 Lines of Defense" Cloud

SecureNavi believes that the "personalization," "volume," and "exception handling" highlighted in this survey are not individual issues but structural operational challenges stemming from the fact that second-line defense operations themselves have been designed assuming manual labor. "2 Lines of Defense" Cloud is a cloud service that has redesigned security risk assessment operations for outsourced vendors, systems, cloud services, group companies, etc., into an "operational model that can be executed at the same level regardless of who is in charge." It supports the transition from "person-dependent" operations to a reproducible "operational structure" through standardization of evaluation processes, centralized management of responses, evidence, and history, and AI-assisted review support.

Cloud Service for Security Risk Assessment for Second Line of Defense Departments "2 Lines of Defense" Cloud: https://fitgap.jp/audit

About SecureNavi Inc.

Company Overview

Company Name: SecureNavi Inc.

Representative: Tomohiro Izaki, Representative Director & CEO

Location: 4F Shirakawa Showroom Bldg., 3-23-6 Nishishinbashi, Minato-ku, Tokyo 105-0003

Corporate Site: https://secure-navi-inc.jp/

Services Provided

ISMS/P Mark Automation Tool "SecureNavi": https://secure-navi.jp/

Platform for Automating and Streamlining Compliance with All Security Regulations "Fit&Gap": https://fitgap.jp/fg

Cloud Service for Security Risk Assessment for Second Line of Defense Departments "2 Lines of Defense" Cloud: https://fitgap.jp/audit

Security Check Sheet Automatic Response Tool "SecureLight": https://secure-navi.jp/securelight

FACT BOX

  • Source: PR TIMES
  • Category: Surveyレポート
  • Organizations: IPA