Passing the Registered Information Security Specialist (RISS) Exam: Study Methods to Registration

I passed the Information Processing Safety Assurance Support Specialist (Registered SecSpec) exam in the fall of Reiwa 5 (2023) and was registered as a Registered Information Security Specialist in April 2024. Here is a summary of my experience.

What Is the Registered Information Security Specialist (RISS)?

The Registered Information Security Specialist (RISS) is a national certification recognized by the Minister of Economy, Trade and Industry of Japan, certifying that the holder possesses specialized knowledge and skills in information security. It is obtained by passing the Information Processing Safety Assurance Support Specialist exam (the successor to the Information Security Specialist exam) and completing the required registration procedures.

For details on the background and exam content, the following links are helpful:

• Information Processing Safety Assurance Support Specialist - Wikipedia (Japanese)
• Registered Information Security Specialist - IPA

Difficulty and Pass Rate

In the fall 2023 exam that I took, there were 14,964 examinees and 3,284 passed (a pass rate of 21.9%). Roughly 1 in 5 candidates passed.

The range of examinees was quite broad. At my testing center, the majority appeared to be working professionals in their 20s and 30s.

Study Methods for the RISS Exam

Prior Knowledge Level

• Knowledge equivalent to passing the Applied Information Technology Engineer Examination.
• In terms of security, I had experience taking SecCap courses during graduate school.

Study Time

I studied approximately 1 hour per day, spread loosely over about one year.

Materials and References Used

First, I read through Security Technology Textbook, 2nd Edition once to get an overview of the exam scope. This book was very easy to understand, and I revisited it from time to time.

For the morning exam preparation, I solved 10 questions daily on Information Processing Safety Assurance Support Specialist .com continuously until exam day.

For the afternoon exam, I used the following reference books. After going through the first book 3 times, I got a bit tired of it and purchased the second one, completing it once. The explanations in the second book were slightly more detailed, but the content was essentially the same, so one book should be sufficient.

• Information Processing Safety Assurance Support Specialist Exam Preparation Book
• Information Processing Safety Assurance Support Specialist: Specialized Knowledge + Afternoon Questions

Right before the exam, I did a final review with the following practice test collection:

• Information Processing Safety Assurance Support Specialist Final Review Problem Collection

Exam Results

I passed with the following scores:

• Morning 1: Exempted
• Morning 2: 80 points
• Afternoon: 84 points

Registration Process for RISS

Registration for the Registered Information Security Specialist occurs twice a year. You can register by mailing the required documents and paying the registration fee.

Application Documents for New Registration

The registration process is relatively straightforward – you simply fill out and mail all the documents published by IPA after passing the exam.

• New Registration Application - IPA

Main required documents:

• Registration application and current status survey form
• Oath
• Copy of the exam pass certificate, or original of the pass certification
• Family register extract or copy of resident record
• Registration information disclosure notification
• Registration application checklist

I was surprised that everything had to be submitted on paper (I wish they would digitize this).

Registration Flow

1. Pass the Information Processing Safety Assurance Support Specialist exam.
2. During the registration period, mail the required documents to IPA.
3. Receive the registration certificate.

Once registration is complete, your name and basic information are published on the RISS Search Service - IPA (you can select which information to disclose during application).

Additionally, your public email address, skills, and career history can be edited at any time through the My Page available after registration. Changes to your name, address, or employer require a separate application.

The above information is current as of spring 2024. Please check the IPA website for the latest information.

• How to Register - IPA

Benefits of RISS

There are mainly four benefits:

Benefit 1: A Title-Protected Qualification That Provides Social Trust

The RISS is a national certification proving specialized skills in information security. By obtaining this certification, you can work as an information security professional and gain social trust.

Benefit 2: Partial Exemptions from Other Public Exams

Some subjects may be exempted in other national or public certification exams. Examples:

• Partial subject exemption for the Patent Attorney Examination
• Partial subject exemption for the Professional Engineer First Examination
• Part of the registration requirements for Certified IT Professional (CITP)

Benefit 3: Access to Exclusive Training

RISS holders are required to take ongoing training to maintain their certification. While this is mandatory, it provides opportunities to continuously update knowledge and skills, which I personally view as a benefit.

Benefit 4: Preferential Treatment at Some Companies

Some companies offer benefits such as certification allowances or promotion advantages for RISS holders.

Drawbacks of RISS

There are mainly three drawbacks:

Drawback 1: Not an Exclusive Practice Qualification

The RISS is a “title-protected qualification” – unlike doctors or lawyers, it does not grant exclusive rights to perform specific tasks. Having the certification does not mean you can monopolize certain work.

Drawback 2: Legal Obligations

RISS holders have three legally defined responsibilities:

1. Prohibition of acts that damage credibility
2. Confidentiality obligation
3. Training attendance obligation

Violation of these responsibilities may result in disciplinary action such as revocation of registration.

However, “prohibition of acts that damage credibility” and “confidentiality obligation” are principles that should be observed in normal work anyway, so they are not particularly burdensome for RISS holders specifically. Rather, being aware of these responsibilities helps you be more conscious about trustworthiness and confidentiality in other work as well.

Drawback 3: Maintenance Costs

Honestly, the maintenance costs are expensive:

• New registration fee: approximately 20,000 yen
• Common training: approximately 20,000 yen (annually)
• Practical training: approximately 80,000 yen or more (once every 3 years)

Due to these high maintenance costs, a significant number of people who pass the exam choose not to register. Details on the training are explained in the next section.

Training

To maintain the certification, you need to take two types of training periodically:

• Common Training (Online Training): Required once per year.
• Practical Training (IPA’s “Practical Training” or private organization’s “Specified Training”): One of these must be taken once every 3 years.

The training fees are expensive, but the content seems interesting, so I’m looking forward to attending.

• RISS Training System Overview - IPA
• RISS Training System Overview (PDF) - IPA

Common Training (Online Training)

Training that needs to be taken in the first year of registration.

• Online Training (First Year of Registration) (PDF) - IPA

Course overview:

1. Knowledge: Expected roles and knowledge for RISS holders
2. Skills:
   • Information security management
   • Incident response (organizational)
   • Incident response (technical)
3. Ethics:
   • Ethics and compliance
   • Laws and regulations for achieving compliance

IPA Practical Training

Focuses on more practical content centered around case studies.

• IPA Practical Training - IPA

Specified Training by Private Organizations

Various formats are available, including lecture-based, hands-on, and exercise-based training, covering a wide range of topics.

• Specified Training by Private Organizations - IPA
• FY2024 Specified Training List: RISS FY2024 Specified Training (PDF) - METI

My Experience: What I Learned and What I Didn’t

Here I share my personal experience – what motivated me to take the exam, what I learned through studying, and what I felt was lacking.

Why I Took the RISS Exam

Security is essential knowledge in any department, allows you to learn across various technology domains, and is directly applicable to software development work.

Among security certifications, the RISS exam has high domestic credibility and covers information security comprehensively. Additionally, compared to international certifications like CEH (Certified Ethical Hacker) and CISSP (Certified Information Systems Security Professional), the financial barrier was lower, which was a deciding factor.

Why I Registered as RISS

Registration is not mandatory even after passing the exam. However, registered holders are required to take ongoing training. Having a semi-mandatory environment to continuously learn the latest knowledge after certification was very attractive to me.

What I Learned from RISS

I gained deep knowledge not only in technologies directly related to the web applications I work with, but also in cryptographic techniques, authentication technologies, and networking that I use without conscious awareness.

Beyond the technical domain, I was able to study a wide range of fields including security management and related laws.

What I Didn’t Learn from RISS

I cannot say I sufficiently mastered specific attack and defense techniques, as there were few opportunities to learn through actual code (Udemy CTF walkthrough videos were more practical for that purpose).

Regarding security management, since the exam preparation dealt with fictional organizations, I have some uncertainty about whether it can be directly applied in practice.