Menu

What is a ISAE 3402?

Learn the basics of the ISAE 3402, such as how an audit takes places and how you get the certification.

ISAE 3402 erklæring guide - komplet vejledning til certificering af IT-sikkerhed

Introduction

The ISAE 3402 statement sends a positive signal to potential customers interested in outsourcing parts of their business processes, IT services or personal data management, as it demonstrates that appropriate security measures have been implemented.

How is an ISAE 3402 declaration made?

You can choose to have the ISAE 3402 declaration of IT security for a specific business area.  For example, a software company that performs a specific data processing on behalf of its customers can create a statement for this specific processing.

Therefore, an assurance report starts by defining the business area being audited and the control objectives that need to be checked at the organisation to ensure that IT security is appropriate.

Only an independent auditor can perform the assurance, and during the audit they must review the company's controls and processes to ‘certify’ that they are adequate.

Content of the ISAE 3402 declaration

The ISAE 3402 statement is used to control IT security, so you can use the ISO27001 standard as a starting point for defining your control objectives, which could be worded as follows:

  • Information security policies
  • Organisation of information security
  • Human resources security
  • Asset management
  • Access management
  • Cryptography
  • Physical and environmental security
  • Operational security
  • Communication security
  • Systems acquisition, development and maintenance
  • Vendor relationships
  • Information security incident management
  • Compliance

For each of these areas, you need to set up some concrete IT security controls that an auditor can oversee.

Example of an ISAE 3402 audit

In the example below you can see how an audit can be conducted for ‘asset management’ and ‘system development’, as well as the control activities that can be performed to ensure that appropriate security measures are implemented and effective in the organisation. 

In the last column you can see examples of tests that can be performed by the auditor to verify that the control activities are implemented correctly in the organisation.

ISAE 3402 Topic

Control activity

Test

Asset Management

Securing the development environment:

Example: The organisation must establish and protect secure development environments for system development and integration that cover the entire system development lifecycle.

Examples

We conducted interviews with relevant employees at the company.

We found that the service provider uses a project management system for system development.

Acquiring, developing and maintaining systems

Information security policy for suppliers

Example:

Information security requirements to reduce risks associated with supplier access to the organisation's assets must be agreed with the supplier and documented.

Examples:

We have interviewed relevant employees at the company.

We have reviewed the service provider's supplier security procedure and observed that a declaration in accordance with the service provider's security policy must be signed when entering into supplier agreements. We have reviewed the template for the declaration.

Upon enquiry, we have been informed that no agreements have been signed with suppliers during the declaration period. It has therefore not been possible to test the implementation of the procedure.

We have found that the service provider has obtained and reviewed the SOC 2 report from Microsoft regarding their compliance with the security requirements.

Do you want to see an example of a final ISAE 3402 declaration? Then you can find our for reference here.

Evidence

To fulfil the requirements set by the auditor, it's important to document that you actually comply with the control. This requires ongoing documentation that the auditor can use as a basis for approving the control. A lack of sufficient evidence can result in a remark in the auditor's report.

How do you get an ISAE 3402 certification?

The process of obtaining an ISAE 3402 declaration starts with a gap analysis, where you identify your organisation's existing controls and assess them against the requirements for an ISAE 3402 declaration. Any gaps or weaknesses are identified so that improvements can be made to the security controls. 

Once you have the controls in place, you may want to start by getting an ISAE 3402 type 1 declaration. You can later consider getting a type 2 declaration when the controls have been operational over time, for example after a year. You can read more about the differences between ISAE type 1 and type 2 declarations here.

It is normal to renew your declaration annually, so your organisation should have a process to continuously evaluate and improve the controls. Typically, there will be a set audit date and it is important to set aside time before then to validate that all controls have been performed correctly. However, it is recommended to carry out the actual checks throughout the year. This way you avoid being in a pressurised situation a few days before the deadline where both execution and validation have to be done at the same time.

.legal's ISAE 3402 type 2 declaration

You can read about how we got our ISAE 3402 type 2 declaration done right here. In this one, we also share our experience of getting an ISAE 3000 type 2 declaration done at the same time.

Benefits for customers

The ISAE 3402 declaration provides transparency and assurance for you and your stakeholders, as a third party has validated that you meet the implemented controls.

The declaration confirms to the customer that you as a supplier have high standards for IT security and makes the customer's due diligence process easier. Customers can save time and money by using suppliers with an ISAE 3402 declaration, as they do not have to carry out the audit themselves.

Disadvantages of ISAE 3402

There are many advantages to having an ISAE 3402 statement, but the downside is that it requires a significant investment of time and resources to comply with the requirements and maintain the statement year after year. 

The first audit typically requires extensive documentation and collaboration between multiple departments within the organisation, which can be time consuming. For smaller organisations, cost can be a challenge and you should weigh up whether it creates enough value for the cost.

However, there are IT audit tools that can be used to guide and streamline the process significantly.

Conclusion

With an ISAE 3402 statement, an auditor has declared that they have overseen a company's IT security and found that the company has an appropriate level of security. An ISAE 3402 statement is therefore strong evidence of a company's commitment to maintaining the highest standards of IT security and risk management, while providing customers, partners and other potential stakeholders with the necessary confidence that the company's systems are secure and reliable.

Frequently Asked Questions About ISAE 3402

What is ISAE 3402?

ISAE 3402 is an international standard for assurance reports on controls at service organisations. It provides assurance that a service organisation has implemented appropriate controls for IT security and operational processes that may affect user entities' financial reporting.

Who can perform an ISAE 3402 audit?

Only an independent auditor can perform an ISAE 3402 assurance engagement. During the audit, they must review the company's controls and processes to certify that they are adequate and effective.

What's the difference between ISAE 3402 Type 1 and Type 2?

A Type 1 report describes the service organisation's controls at a specific point in time, while a Type 2 report also tests the operating effectiveness of those controls over a period (typically 12 months).

Read more about the differences between ISAE type 1 and type 2 declarations

How often should an ISAE 3402 certification be renewed?

It's normal to renew your ISAE 3402 declaration annually to maintain credibility and demonstrate ongoing compliance with control requirements.

What does an ISAE 3402 audit cost?

Costs vary depending on the organisation's size and complexity. For smaller organisations, cost can be a challenge, and you should weigh up whether it creates sufficient value relative to the investment.

What's the difference between ISAE 3402 and SOC 2?

ISAE 3402 is the international standard, while SOC 2 is the US equivalent. Both provide assurance on service organisation controls, but ISAE 3402 follows international auditing standards and is more widely recognised globally.

What controls does ISAE 3402 cover?

ISAE 3402 can cover various control areas based on frameworks like ISO 27001, including information security policies, access management, physical security, vendor relationships, and incident management.

Read more about ISO 27001 compliance

Can .legal help with ISAE 3402 compliance?

Yes, .legal's Framework module can help manage and document ISAE 3402 processes alongside other compliance frameworks like ISAE 3000 and ISO 27001.

Learn more about .legal Frameworks

Where can I see an example ISAE 3402 report?

You can view .legal's own ISAE 3402 certification here as a reference example of how a completed declaration appears.

Find a ISAE 3402 example here

What happens if my organisation doesn't get ISAE 3402?

Without an ISAE 3402 declaration, potential customers may have difficulty trusting your IT security posture, and they may require extensive due diligence processes, which can cost time and business opportunities.

Helper swirl top

Information Security Management

Are you looking for more articles on information security? Or are you curious to learn more about compliance solutions? Explore our article series, where we dive deep into the topic.
Left blob
Right blob
Helper swirl bottom
dotlegal compliance platform - handle ISAE 3402, ISAE 3000 and ISO 27001 declarations efficiently

.legal compliance platform Handle your declarations smarter

Curious to try it yourself? Get access to our Declarations add-on, and start handling your own declarations.
  • Gain a clear overview of your progress across multiple declarations like ISAE3402, ISAE3000, and ISO27001.
  • Track real-time updates on completed controls, so you always know how close you are to completion.
  • Avoid redundant work by reusing documentation across various declarations, reducing manual effort.
Learn more
Book a Demo
+325 companies use .legal
Region Sjælland
Aarhus Universitet
Zwipe
aj_vaccines_logo
Realdania
Right People
IO Gates
PLO
Finans Danmark
geia-food
Vestforbrænding
Evida
Klasselotteriet
NRGI1
BLUE WATER SHIPPING
Karnov
Ingvard Christensen
VP Securities
AH Industries
Lægeforeningen
InMobile
AK Nygart
ARP Hansen
DEIF
DMJX
Axel logo
qUINT Logo
KAUFMANN (1)
SMILfonden-logo
kurhotel_skodsborg
Footer topswirl

Info

.legal A/S

hello@dotlegal.com
+45 7027 0127

VAT-no: DK40888888

Support

support@dotlegal.com
+45 7027 0127
Need help?

 

Offices

Aarhus

Store Torv 14, 2.
8000 Aarhus C

Copenhagen

Vesterbrogade 26
1620 København V

Products

Let me help you get started

mads-i-blob
Reach out to me on phone
+45 7027 0127 and I'll get you started
arrow-right-white Get a demo

.legal is not a law firm and is therefore not under the supervision of the Bar Council.

Footer bottomswirl