Information Security Management › ISAE

Becoming ISAE Compliant - Our Journey

Learn how we at .legal A/S work stay ISAE certified with ISAE 3000 type 2 and ISAE 3402 type 2.

Introduction

At .legal, staying on top of our compliance with GDPR and IT security has always been a priority. In 2019, we raised the bar by securing ISAE 3000 Type 2 and ISAE 3402 Type 2 certifications.

For more about these certifications, feel free to read our detailed articles on ISAE 3000 and ISAE 3402. You can also access our latest certifications and final audit reports here.

In this article, we’ll take you through the journey we took at .legal A/S to achieve both ISAE 3000 and ISAE 3402 audits, the challenges we encountered, and how we turned those challenges into solutions that could simplify compliance for both ourselves and our clients.

Why We Chose ISAE 3000 and ISAE 3402 Certifications

We pursued ISAE 3000 and ISAE 3402 certifications for a few key reasons.

ISAE 3000 Type 2 is closely tied to GDPR compliance, something we've been committed to from the start. It demonstrates to our stakeholders that we not only meet legal data protection standards but also maintain strong internal processes to manage and protect personal data throughout the year-long audit period. Download our ISAE 3000 here.

ISAE 3402 Type 2 is focused on IT security, and since our clients process their data through our platform, this certification reassures our clients that we have the most optimal processes in place to ensure that our IT infrastructure is secure throughout the audit period of a year. Download our ISAE 3402 here.

While each certification has its own focus, they both overlap in areas like internal controls and risk management. Therefore, coordinating the two audits allowed us to use our resources more effectively.

Managing Multiple Audits

From 2019 until 2022, we went through separate audits for ISAE 3000 and ISAE 3402, but this turned out to be inefficient because many of the internal controls required for both overlapped.

So, we decided to combine the audits the following year. This approach reduced duplicated effort, saved time, and minimised disruption across departments.

Getting an ISAE Statement

One of the toughest parts was organising the tasks while gathering the necessary evidence - from IT security procedures to data handling documentation.

In the first year, it took a full-time employee - who also had other responsibilities meanwhile - about eight weeks to gather and organise all the necessary evidence, with input from various teams across the company.

“The first year was definitely the hardest. Collecting all the evidence felt overwhelming at times, especially because it was spread across different departments. It took a lot of coordination, but we learned a lot, which helped streamline things for the future,” said Louise Skou, Legal Assistant at .legal A/S

Even though we were already GDPR-compliant, ISAE 3000 demanded an even more rigorous documentation of our processes. For ISAE 3402, we added new measures, like monthly penetration tests, which we’d already been considering but hadn’t yet implemented.

The process has been very fruitful for us. Though it took time, it was a healthy exercise that gave us a much better overview of the business as a whole and created a structure that made it easier to handle our IT security and implement appropriate security measures.

Streamlining the Certification Process

One of the biggest lessons we learned was that the first year requires the most time and resources. The good news is that once everything is set up, maintaining compliance becomes much simpler in the following years. In addition, it becomes much easier to implement new security measures and practices.

Going forward, we estimate it will only take 15–20 hours per year for our compliance manager to handle the audit process, a fraction of the initial workload. This is thanks to automating many of the tasks involved in gathering and organising evidence.

During this process, we began developing an auditing tool that automates the compliance and audit processes for both ISAE 3000 and ISAE 3402. The tool assigns tasks, sends notifications, tracks compliance via a log, and allows team members to contribute throughout the year. This way, not all evidentiary tasks end up on one employee's desk right before the audit. This has centralised everything and eliminated the need for back-and-forth communication through email or chat.

“What used to take eight people from different departments is now much simpler. With our new processes and the audit tool, only four people - at most - need to be involved instead of the previous eight people, and everything is far more organised,” says Louise Skou, Legal Assistant at .legal A/S.

This tool has been a game-changer for us, and we believe it will make these types of audits more accessible for other organisations as well.

Guidance from IT Security Auditors

We didn’t do this alone. Our auditors provided invaluable guidance, especially focusing on which internal controls are most optimal to prioritise as a B2B SaaS company. Their advice not only helped us with ISAE 3000 and ISAE 3402 but also helped us identify the path forward for future certifications like ISO 27001.

For example, our auditors helped us enhance our security by recommending improvements like adjusting screen lock times and strengthening password policies, not just to pass the audit but to improve overall security. This was an easy and quick process, as all other tasks and evidence were already properly organized.

The Benefits of ISAE Certification

So, was it worth the effort? Absolutely.

“When we show clients our ISAE 3000 and 3402 certifications, it gives them immediate confidence. They see that we’re not just ticking boxes but have a proven system that protects their data and ensures our processes are solid,” says Brian Østberg, CEO of .legal A/S.

Achieving both ISAE 3000 and ISAE 3402 certifications has brought several clear benefits:

Client trust

Most of our clients operate in industries where data security is critical. These certifications give them peace of mind, as they no longer need to conduct their own audits of us, since an external auditor has already approved our practices, saving them time and money.

Improved processes

Preparing for the audits forced us to critically assess our internal controls and risk management. This resulted in workflows that are not only compliant but also more efficient and secure. As evidence is stored solely on the platform, there's no need to worry about deleting emails with evidence after the audit.

Documenting our procedures has become a valuable resource as training materials for onboarding new employees and fostering a culture of continuous improvement.

Enhanced security

The introduction of monthly penetration tests and other IT measures has already helped us identify and fix vulnerabilities, strengthening our overall security posture.

What’s Next

From our ISAE 3000 and ISAE 3402 journey, we developed an audit tool to simplify compliance and the audit process for others. With this tool, evidence collection becomes automated, reducing the need for back-and-forth communication and manual tasks. Team members can upload documents, track compliance, and communicate via the platform, making it easier to stay on top of things year-round.

“The beauty of it is that once it’s set up, the process repeats itself each year. You no longer need to send reminder emails to kickstart the audit process - everything is automated, and you just oversee the final approvals before sending them to the auditor,” says Brian Østberg, CEO of .legal A/S.

For many organisations, IT audits are a stressful, deadline-driven event, but with this audit tool, compliance becomes a seamless part of everyday operations.

Make it ISAE

Securing ISAE 3000 and ISAE 3402 Type 2 certifications was a challenging but rewarding process. It has pushed us to refine our internal systems and step up our security measures, while proving to our stakeholders that we are truly compliant.

The new audit tool is designed to help other companies achieve and maintain ISAE certifications more efficiently. If you’re considering going for ISAE 3000 or ISAE 3402 certification, be ready for some upfront effort, but with the right tools in place, it gets much easier over time.

Frequently Asked Questions About ISAE 3000 and ISAE 3402 Compliance

What is ISAE 3000?

ISAE 3000 is an international assurance standard used for reporting on non-financial controls. It provides a framework for auditors to assess and report on an organisation's internal controls related to processes like data security, sustainability, and compliance.

What is ISAE 3402?

ISAE 3402 is an international standard for assurance reports on controls at a service organisation. It allows service providers to demonstrate to their clients that they have adequate internal controls over the services they provide, particularly for financial reporting.

What is the difference between ISAE 3000 and ISAE 3402?

ISAE 3000 covers non-financial assurance engagements broadly, while ISAE 3402 specifically focuses on controls at service organisations relevant to user entities' financial reporting. ISAE 3402 is the go-to standard for service organisations providing IT or outsourcing services.

Why do organisations need ISAE compliance?

ISAE compliance demonstrates to clients, regulators, and stakeholders that an organisation has robust internal controls. It builds trust, satisfies due diligence requirements, meets contractual obligations, and can be a competitive advantage in the market.

What is the difference between Type 1 and Type 2 reports?

A Type 1 report assesses the design of controls at a specific point in time, confirming they are suitably designed. A Type 2 report evaluates both the design and operating effectiveness of controls over a period (typically 6-12 months), providing stronger assurance.

How long does it take to become ISAE compliant?

Achieving ISAE compliance typically takes 3-12 months depending on the organisation's maturity, existing controls, and the scope of the assessment. Type 1 can be achieved faster, while Type 2 requires a minimum observation period of 6 months.

Who needs an ISAE 3402 report?

Service organisations that process transactions or host data for other companies typically need ISAE 3402 reports. This includes IT service providers, cloud hosting companies, payroll processors, data centres, and managed security service providers.

How does ISAE relate to SOC reports?

ISAE 3402 is the international equivalent of the US SSAE 18 (SOC 1) standard. While SOC reports are US-based, ISAE reports are recognised internationally. Many organisations obtain both to serve clients in different regions.

What controls are typically covered in an ISAE report?

Common controls include access management, change management, incident management, backup and recovery, physical security, monitoring, risk assessment, and data protection measures relevant to the services being provided.

How can organisations prepare for an ISAE audit?

Preparation includes defining the scope, documenting all relevant controls, implementing monitoring processes, conducting internal assessments, training staff, gathering evidence of control effectiveness, and engaging with an experienced auditor early in the process.

.legal compliance platform Achieve ISAE Compliance with .legal

Streamline your journey to ISAE 3000 and ISAE 3402 compliance. The .legal platform helps you document controls, manage audits, and maintain continuous compliance.