Ryohin Keikaku Co., Ltd.

Governance

Information Security and Protection of Personal Information

Contents

Ryohin Keikaku recognizes that information security risks are an important management issue, and has established an Information Security1 Policy to properly protect data and safely manage information assets.

1. Definition of information security

  1. “Information security” refers to the protection of information assets handled by Ryohin Keikaku from threats in areas related to confidentiality, integrity and availability, and includes cybersecurity.
  2. “Cybersecurity” refers to taking measures to ensure the safe management of information. This includes prevention of information leakage, loss or damage, as well as measures to ensure the safety and reliability of information systems and information communication networks in order to properly maintain and manage their condition.

Purpose

Ryohin Keikaku created the Information Security Policy with the aim of maintaining the trust of its customers and society. We take basic and advanced measures to safeguard the information assets that have been entrusted to us by customers and related parties, as well as to comply with relevant laws and regulations and enhance our global corporate brand.
We are committed to strengthening information security by adhering to our Information Security Policy and Privacy Policy,2 protecting information assets against potential threats, and managing them in a proper manner.

2. "Privacy Policy" is defined separately in accordance with the Personal Information Protection Management System (PMS).

Basic Approach

Establishment of an information security management system

Ryohin Keikaku will continuously improve its information security through the operation of an information security management system. This system involves identifying information assets, analyzing the risks associated with each asset, and taking appropriate actions to implement countermeasures against unauthorized access, viruses and leaks.

Protection of information assets

Ryohin Keikaku takes appropriate organizational and technical measures to reliably protect the confidentiality, integrity and availability of information assets.

Compliance with laws, regulations and other rules

Ryohin Keikaku complies with laws, regulations and other rules regarding information security and protection of personal information.

Implementation of education and training

Ryohin Keikaku provides essential education and training to ensure that all executives and employees fully recognize the importance of information assets.

Scope of Application

All companies and bases of the Ryohin Keikaku Group
All executives and employees of the Ryohin Keikaku Group
All information assets used and owned by the Ryohin Keikaku Group

Management System

At Ryohin Keikaku, the Compliance and Risk Management Committee, which is chaired by a senior executive officer who is in charge of overall administration, oversees relevant activities of the Group based on its basic policies. The committee has established the IT Security Office and Personal Information Protection Office to accurately grasp the status of information security and to discuss and promote countermeasures. Each Group company and division appoints a person in charge of information security and strives to strengthen and thoroughly implement the information management system.
The Personal Information Protection Office formulates rules and policies for personal information management and manages the overall process. The IT Security Office builds, maintains and operates the IT infrastructure environment in compliance with regulations and policies, and works for its continuous improvement. Reports on related activities are made to the Compliance and Risk Management Committee, which meets four times a year, and the details of deliberations are reported to the Board of Directors at least twice a year.
The Board of Directors assesses information security incidents in the Group’s businesses that were discussed, confirms the sufficiency of risk assessments and mitigation measures, and supervises their progress.

Information Security Management System

Protection of Personal Information

Ryohin Keikaku conducts personal information protection activities based on its Privacy Policy for personal information handled in all business activities and adopts necessary protections and appropriate security measures.
We appoint a person from within the organization with the ability to understand and implement personal information protection as a “personal information protection manager.” This person assumes responsibility and authority for implementing and operating the personal information protection management system.

Privacy Policy

Strengthening Information Security

Acquisition of ISO 27001 certification3

In July 2025, Ryohin Keikaku obtained ISMS certification4 (ISO/IEC 27001: 2022 (JIS Q 27001: 2023)for its Healthcare Center service5. We conduct oversight of information security appropriately and as necessary, address any violations, and properly manage information in accordance with the ISMS certification standards.

Registration number:
IS 821908
Organization name:
Ryohin Keikaku Co., Ltd.
Scope of registration:
Health consultations, sale of traditional Chinese medicines, planning and operation of health-related events, and operation of the Healthcare Center service.
Original registration date:
July 7, 2025

3. ISO 27001: A framework of which the purpose is to contribute to improvement of information security in general, and to achieve a level of information security that can earn trust internationally.
4. ISMS certification (ISO/IEC 27001: 2022): A third-party conformity assessment framework for information security management systems.
5. Excludes the Healthcare Center in MUJI Sakata.

CSIRT Initiatives

The Ryohin Keikaku Group is working to create an ISMS-compliant system. We have established MUJI-CSIRT6 as a unit charged with responding to information security issues, and have formally joined the Nippon CSIRT Association.
MUJI-CSIRT is carrying out a series of actions related to information security, including introduction of information security controls, related information gathering, analysis and risk assessment.
Through these actions, we are strengthening the Ryohin Keikaku Group’s information security management system.

6. A cross-functional unit charged with incident response, primarily made up of the director in charge of IT and the Information Security Office

Incident Response

When an incident occurs, the MUJI-CSIRT will take the lead in rapidly responding based on the proper procedures to minimize damage and prevent a recurrence. In addition, it reviews the incident to identify issues related to information security and make improvements as part of ongoing efforts to prevent recurrence.

Training on Information Security

Ryohin Keikaku recognizes that the thorough comprehension and participation of all employees is essential for information security management. Based on this understanding, we provide information security training to all executives and employees. We also regularly conduct the following initiatives, which are effective for continuously improving security literacy, while assessing the level of understanding and raising awareness. By fostering security literacy throughout our organization, we aim to become resilient to cyber risks.

  1. Conduct e-learning on information security for all employees at least twice a year
  2. Conduct training on targeted e-mail attacks for all employees twice a year
  3. Provide appropriate reminders prior to long vacations and other events, and conduct awareness-raising activities and follow-ups during daily work

Information Security e-Learning

ImplementedTraining ThemeParticipation RateNumber of Participants
December 2022Information security80.5%1,528
March 2023Personal information protection77.5%1,858
September 2023Social media and stealth marketing87.0%2,076
February 2024Personal information protection41.9%4,472
October 2024Personal information protection74.0%16,693
May 2025Risks related to generative AI81.0%2,155

*7 Starting from the February 2024 training session, the scope of participants has been expanded to include all employees, including partner employees and part-time workers. Moving forward, we will further strengthen information security education for partner employees and part-time workers.

Information Security and Protection of Personal Information | Ryohin Keikaku Co., Ltd.