Back to Blog
testimonial-strategy
ismap
ipa
japanese-government
cloud-procurement
japan-public-sector
cloud-registration

Testimonials from Customers Who Have Completed an ISMAP Registration — Calibrating Quote Specificity Around the Cloud Service List, Audit Scope, and the Japanese-Government Procurement Disclosure Boundary

ProofShow Team··11 min read

A customer's completion of an ISMAP (Information system Security Management and Assessment Program) registration is a distinctive testimonial moment in the Japanese-government and broader Japanese-public-sector vertical because ISMAP — operated jointly by the Information-technology Promotion Agency (IPA), the Ministry of Economy, Trade and Industry (METI), and the Digital Agency — produces a cloud-service-registration artifact that follows disclosure norms diverging from SOC 2, ISO 27001, FedRAMP, and BSI C5. Most testimonial programs treat ISMAP registration as interchangeable with ISO 27017 because the ISMAP control set draws on the cloud-extension catalogue lineage, but the operational reality is that ISMAP registrations are produced under one of two service categorizations (ISMAP for general government use and ISMAP-LIU for low-impact-use cases) against a specific cloud-service scope and a specific audit-firm engagement, are published on the official ISMAP Cloud Service List under government-determined disclosure norms, and are referenced by consuming Japanese-government ministries and agencies through procurement-eligibility rules that govern downstream testimonial use.

This guide separates the ISMAP registration cycle into four phases, explains the testimonial-wall risks in each phase, and provides per-phase playbooks calibrated to the Japanese-public-sector procurement mechanics that most ISMAP-completing customers operate under. For broader context on compliance-anchored testimonials, see the playbooks on testimonials when a customer completes a SOC 2 audit, testimonials when a customer completes an IRAP assessment, and testimonials when a customer completes a FedRAMP authorization.

The four ISMAP registration-cycle phases

A typical ISMAP registration path runs through cloud-service-scope definition and audit-firm selection, on-site-audit-and-finding-resolution, ISMAP-committee-review-and-cloud-service-list-publication, and consuming-ministry-procurement-eligibility review against each ministry's own cloud-use framework (which in the Japanese-government context routinely references the government-wide common standards for information-security measures as the next layer). The cycle commonly spans twelve to eighteen months for a first-time ISMAP registration and six to ten months for an ISMAP-LIU registration on a previously-audited service scope. Customers move through four distinct phases relative to the registration.

Phase 1: Cloud-service-scope definition and audit-firm engagement (the period before the audit firm has been formally engaged). The customer is defining the cloud-service scope to be registered, selecting between the ISMAP and ISMAP-LIU categorizations based on the service's intended government-use profile, identifying an ISMAP-recognized audit firm, and producing the documentation set that will be presented to the auditor. The customer is highly engaged with the vendor's cloud-security posture and control-implementation evidence but cannot yet claim an ISMAP-registered status. Testimonials produced during scope-definition have a control-implementation-and-documentation character — the customer can speak to the vendor's ISMAP-control-mapping clarity, system-security-documentation completeness, and pre-audit-support responsiveness.

Phase 2: On-site audit and finding resolution (the period between audit-firm engagement and the audit firm's final report delivery). The customer has engaged an ISMAP-recognized audit firm and the firm is conducting interviews, reviewing evidence, performing on-site observation, and producing the ISMAP audit report. The customer is highly engaged operationally and is preparing for the ISMAP-committee review step that follows the auditor's report. Testimonials produced during on-site-audit-and-finding-resolution have an auditor-process-and-vendor-collaboration character — the customer can speak to vendor responsiveness during the auditor's interviews, evidence-presentation discipline, and finding-resolution coordination, but should not claim a completed ISMAP registration before the auditor delivers the final report and the ISMAP committee completes its review.

Phase 3: ISMAP-committee review and Cloud Service List publication (the period after final report delivery and through registration publication, typically two to four months). The audit firm has delivered the final audit report, the customer has submitted the report to the ISMAP committee for review, and the committee is conducting its review of the audit results and the customer's residual-risk-management posture. Once the committee completes its review and approves the registration, the customer's cloud service is published on the official ISMAP Cloud Service List with the service name, registered scope, and registration date. Testimonials produced during the committee-review-and-listing phase have a registration-progression-and-publication character — the customer can speak to the vendor's collaboration through the audit, committee-review, and listing window, and can reference the achieved ISMAP registration once the service has been published on the Cloud Service List.

Phase 4: Steady-state operation and annual continuous-evaluation cycle. The ISMAP registration is active subject to the annual continuous-evaluation requirement, and the customer operates against the registered scope while preparing for the next continuous evaluation. The continuous-evaluation cycle requires the customer to maintain the audited control posture and to engage with the audit firm for periodic re-evaluation, with the registration remaining on the Cloud Service List subject to the continuous-evaluation outcome. Testimonials produced in steady-state operation have an operational-stability-and-government-procurement-eligibility character — the customer can speak to how the vendor's control posture supports the customer's continued ISMAP-listed status, ministry-procurement cycles that depend on the ISMAP listing, and the cadence of annual continuous-evaluation engagements. These are the highest-trust testimonials in the cycle because they are produced with the benefit of the full operational record between the registration and the testimonial date.

The seven quote-request timing risks

Timing a quote request against an ISMAP registration cycle introduces seven distinct risks that do not all apply to other compliance-attestation testimonials. Mapping them explicitly prevents the most common testimonial-wall failures.

Risk 1: Pre-audit quote framed as completed registration. A quote collected in Phase 1 — when the customer is doing scope definition and has not engaged the audit firm — that is presented on the testimonial wall as an "ISMAP-registered customer" testimonial. This is the highest-frequency failure mode because the marketing team is impatient for the testimonial and the customer is enthusiastic about the control-implementation work, but the public-facing claim is unsupported and is visible to other Japanese-public-sector prospects who run their own Cloud Service List checks against the official ISMAP portal.

Risk 2: Mid-audit quote framed as completed registration. A quote collected in Phase 2 — when the audit firm is conducting the audit but has not delivered the final report and the ISMAP committee has not completed its review — that is presented as a completed ISMAP registration. The customer often has high confidence the audit will close successfully and speaks as if the registration is complete, but ISMAP registration is not complete until the committee approves and the service is published on the Cloud Service List.

Risk 3: Categorization misstatement. A quote that references "ISMAP-registered" without specifying the categorization (ISMAP versus ISMAP-LIU), or that claims the ISMAP categorization when the registration is actually under ISMAP-LIU. The two categorizations differ in the impact-tier of government use they are intended for, and conflating them in a testimonial misleads the prospect about the actual procurement-eligibility of the service.

Risk 4: Scope-boundary overclaim. A quote that describes the vendor's contribution to the ISMAP registration in ways that imply broader scope coverage than the customer's actual registered scope. The ISMAP scope is published explicitly on the Cloud Service List, and a testimonial that overclaims scope can be cross-checked by any prospect against the public listing.

Risk 5: Continuous-evaluation-cycle staleness. A quote that references the customer's ISMAP registration without acknowledging that the registration is subject to annual continuous evaluation. A testimonial that quotes a customer at the registration date and is still on the testimonial wall years later — without confirming the customer's continued ISMAP-listed status — is structurally stale and risks misleading a prospect about the current ISMAP status of the reference customer.

Risk 6: Ministry-attribution overclaim. A quote that names specific Japanese-government ministries or agencies as users of the customer's ISMAP-listed service without the customer's explicit confirmation that those ministries have actually procured the service. ISMAP listing makes a cloud service eligible for government procurement; it does not by itself constitute a procurement. Quoting specific ministry attribution requires customer-confirmed evidence of the procurement.

Risk 7: ISMAP-portal-disclosure-norm violation. A quote that publishes information about the customer's ISMAP audit report or registered control posture beyond what is published on the official ISMAP Cloud Service List. The audit report itself is subject to disclosure-norm controls between the customer, the audit firm, and the ISMAP committee, and republishing report-detail in a testimonial wall can violate the customer's disclosure agreements.

For broader discussion of compliance-anchored testimonial staleness in general, see testimonial content decay after product version changes and testimonial attribution decay when customers leave.

The per-phase playbook

Phase 1 playbook — Scope definition and audit-firm engagement

The quote-request goal in Phase 1 is to capture the control-implementation-and-documentation character of the engagement without overclaiming registration status. Three rules apply.

Quote scoping rule. The quote-prompt must direct the customer toward the pre-audit relationship — control-implementation collaboration, ISMAP-control-mapping clarity, documentation-support work — not toward the registration outcome. A useful Phase 1 prompt: "How did the vendor support your team during the ISMAP scope definition and pre-audit preparation?"

Publication rule. The quote is publishable as a "pre-audit collaboration" testimonial. It is not publishable as an "ISMAP-registered customer" testimonial. The testimonial-wall framing must match the actual relationship state at the quote date.

Decay-window rule. A Phase 1 quote becomes stale when the customer moves into Phase 2 or Phase 3. The testimonial-wall management process must trigger a quote refresh at the phase transition.

Phase 2 playbook — On-site audit and finding resolution

The quote-request goal in Phase 2 is to capture the auditor-process-and-vendor-collaboration character of the engagement without claiming a completed registration. Three rules apply.

Quote scoping rule. The prompt directs the customer toward auditor-process collaboration — interview-window responsiveness, evidence-presentation discipline, finding-resolution coordination. The customer should not be prompted to speak as if the registration is complete. A useful Phase 2 prompt: "How did the vendor support your team during the auditor's on-site assessment and finding-resolution windows?"

Publication rule. The quote is publishable as an "audit-in-progress collaboration" testimonial. The testimonial wall should not claim a completed ISMAP registration for the customer in Phase 2.

Decay-window rule. A Phase 2 quote becomes stale when the audit firm delivers the final report and the ISMAP committee begins its review. The phase transition is the trigger for a quote refresh.

Phase 3 playbook — Committee review and Cloud Service List publication

The quote-request goal in Phase 3 is to capture the registration-progression-and-publication character of the engagement, with the categorization and registered scope specified. Three rules apply.

Quote scoping rule. The prompt directs the customer toward the through-cycle collaboration — pre-audit preparation, audit-window responsiveness, and committee-review and listing support. A useful Phase 3 prompt: "How did the vendor support your team across the ISMAP cycle through to publication on the Cloud Service List?"

Publication rule. The quote is publishable as an "ISMAP-registered customer" testimonial once the cloud service has been published on the official Cloud Service List, and the categorization (ISMAP or ISMAP-LIU) and registered scope must be specified in the testimonial framing.

Decay-window rule. A Phase 3 quote remains current through Phase 4 operation, subject to the annual continuous-evaluation outcome. The testimonial-wall management process must track the continuous-evaluation cycle and trigger a renewal-or-retirement decision if the continuous-evaluation outcome changes the registration status.

Phase 4 playbook — Steady-state operation

The quote-request goal in Phase 4 is to capture the operational-stability-and-government-procurement-eligibility character of the engagement. Three rules apply.

Quote scoping rule. The prompt directs the customer toward the operational record — how the vendor's control posture has supported the customer's continued ISMAP-listed status, how ministry-procurement cycles have been supported (without naming specific ministries unless the customer confirms), and what cadence of annual continuous-evaluation engagements has been observed. A useful Phase 4 prompt: "Now that your ISMAP registration has been in operation for [N] months, how has the vendor's control posture supported your continued listed status and annual continuous-evaluation engagements?"

Publication rule. The quote is publishable as a steady-state ISMAP-registered customer testimonial with the operational duration and continuous-evaluation engagement specified. This is the highest-trust testimonial framing in the cycle.

Decay-window rule. A Phase 4 quote remains current within the annual continuous-evaluation window. If the customer's continuous evaluation produces a finding that changes the registration status, the testimonial must be retired or re-scoped to the historical period only.

The testimonial-wall management cadence

Operating the four phase playbooks across a portfolio of ISMAP-completing customers requires a fixed-cadence review of the testimonial wall against the Cloud Service List state of each reference customer.

Quarterly cadence. Every 90 days, the testimonial-wall manager reviews the phase-state of each ISMAP-completing reference customer and the corresponding testimonial. Quotes in Phase 1 or Phase 2 are checked for phase-transition triggers. Quotes in Phase 3 or Phase 4 are checked for continuous-evaluation-cycle staleness.

Cloud Service List check. For each Phase 3 and Phase 4 testimonial, the manager verifies on the official ISMAP Cloud Service List that the customer's cloud service is still published and the categorization and registered scope claimed in the testimonial still match the published listing. Discrepancies trigger a quote refresh or retirement.

Ministry-procurement-cycle alignment. For testimonials targeted at Japanese-government prospects, the manager confirms that the categorization (ISMAP or ISMAP-LIU) in the testimonial matches the typical ministry procurement requirement in the prospect's program. An ISMAP-LIU testimonial does not validate a ministry requirement for ISMAP general use.

This management cadence is the operational difference between an ISMAP testimonial program that compounds in credibility over time and one that quietly degrades into structurally stale claims. For broader discussion of the underlying authenticity discipline, see how to verify testimonial authenticity and testimonial claim substantiation with data.

Ready to get started?

Start collecting and showcasing testimonials in under 5 minutes.

Start Free