The certificate on the wall isn't enough anymore
A few years ago, an ISO 27001 certificate was a clear competitive advantage for Vietnamese IT outsourcing companies entering the Japanese market. A client would ask "do you have ISO 27001?", you'd say yes, and the process would continue.
That market has changed.
Today, Japanese enterprise clients in manufacturing, finance, and healthcare run more detailed vendor due diligence processes. The question no longer stops at "do you have the certificate?" It becomes: "What scope does that certificate cover?", "When was your most recent surveillance audit?", "Can you show evidence that controls are being maintained?"
That's where many companies start running into trouble.
The problem with "ISO 27001 on paper"
An ISO 27001 certificate is valid for three years, with annual surveillance audits. But the certificate doesn't automatically reflect your actual compliance state on any given day.
Common situations in practice:
Certificate is valid but scope doesn't match the new project. A company achieved ISO 27001 for a scope that originally covered internal IT management. They then win a development project for a Japanese client, but the certificate scope doesn't include the development environment or data handling for external clients. The Japanese client reviews the certificate and catches this during due diligence.
Surveillance audit passed but controls drift afterward. Certificate is current, surveillance audit recently passed. But in the eight months since, some controls have started slipping: access reviews aren't running on schedule, a senior engineer who owned security review responsibilities left and nobody took over, the vendor assessment backlog has accumulated.
When the Japanese client requests a demonstration during an off-cycle security review, the team doesn't have evidence ready for the recent period.
Certificate without audit trail access for the client. Japanese enterprise clients increasingly want read access to a compliance portal to verify controls themselves, rather than receiving a PDF package prepared for each review cycle. If you don't have a platform with a real audit trail, you can't meet this requirement.
What Japanese clients are actually evaluating
Vietnam is a major outsourcing source for Japanese IT, and in that competitive environment, Japanese clients have become more sophisticated at distinguishing between compliance on paper and compliance in practice.
Specific points that IT governance teams at large Japanese companies typically check:
Evidence continuity: Not just "do you run access reviews?" but "here are access review records from January through June. When were they recorded, and who approved them?"
Incident response readiness: Not just "do you have an Incident Response Plan?" but "in the past 12 months, has that plan been tested? What were the results?"
Vendor management: The vendors you're using to deliver this project. Have they been assessed? When? Have DPAs or NDAs been signed?
Key person dependency: If your security person leaves, does your compliance program continue operating? Are processes documented well enough to be transferable?
These aren't questions that can be answered by pointing at a certificate.
Control drift: what happens when nobody is watching
"Control drift" is when controls are implemented correctly at audit time but gradually deviate from the baseline during normal operations.
It happens not because anyone is intentionally cutting corners, but because there's no mechanism to track it.
Common examples in IT outsourcing:
- A developer contractor is added to a project GitHub repo with full write access. The project ends, the contractor is off-boarded from the contract, but the GitHub access isn't revoked because nobody connected the two events.
- A production environment gets migrated to a new cloud provider during a project. The security baseline from the old provider doesn't automatically carry over to the new one, and nobody does a formal configuration review.
- Password policy is set in Active Directory, but after a version upgrade the setting resets to default, and nobody notices for four months.
When a Japanese client runs a technical review of your systems as part of vendor governance, these drifts get found. Not through the certificate.
From "getting certified" to "demonstrating compliance at any time"
The shift in expectations from the Japanese market reflects a broader trend: compliance is moving from event-based to continuous.
What that means in practice for IT outsourcing companies:
Audit trail always ready, not just before audit. Evidence is collected automatically and queryable for any period. When a Japanese client asks for evidence covering Q3, you can pull it immediately, not after two weeks of preparation.
Scope documentation that's clear and current. Each time you win a new project with different scope, assess whether the certificate scope needs to expand and document that process formally.
Shareable compliance dashboard. Instead of sending zip files of documents each review cycle, provide read-only access for the client's account manager to verify status when they need to.
No single-person dependency. Security operations are process-documented well enough to continue without interruption when the person responsible changes.
Practical questions for companies currently maintaining ISO 27001
If you're holding existing Japanese contracts or looking to expand to new Japanese enterprise clients, these are worth checking now:
- If a client asked for evidence of user access management over the past six months, could you provide it today?
- When was your most recent access review conducted, and where is it documented?
- Is your vendor list reviewed periodically, and where are the assessment records?
- If your security lead left tomorrow, which processes would be disrupted?
These questions don't come from an audit checklist. They come from the actual vendor governance processes of large Japanese companies.
The ISO 27001 certificate opens the door. Continuous compliance keeps it open.
See pTrackly for IT outsourcing teams maintaining compliance with Japanese clients to understand how the platform supports continuous evidence collection and real audit readiness.