What is a ISAE 3402?
Learn the basics of the ISAE 3402, such as how an audit takes places and how you get the certification.

- Articles
- Information Security Management
- What is a ISAE 3402 declarations
Introduction
The ISAE 3402 statement sends a positive signal to potential customers interested in outsourcing parts of their business processes, IT services or personal data management, as it demonstrates that appropriate security measures have been implemented.
How is an ISAE 3402 declaration made?
You can choose to have the ISAE 3402 declaration of IT security for a specific business area. For example, a software company that performs a specific data processing on behalf of its customers can create a statement for this specific processing.
Therefore, an assurance report starts by defining the business area being audited and the control objectives that need to be checked at the organisation to ensure that IT security is appropriate.
Only an independent auditor can perform the assurance, and during the audit they must review the company's controls and processes to ‘certify’ that they are adequate.
Content of the ISAE 3402 declaration
The ISAE 3402 statement is used to control IT security, so you can use the ISO27001 standard as a starting point for defining your control objectives, which could be worded as follows:
- Information security policies
- Organisation of information security
- Human resources security
- Asset management
- Access management
- Cryptography
- Physical and environmental security
- Operational security
- Communication security
- Systems acquisition, development and maintenance
- Vendor relationships
- Information security incident management
- Compliance
For each of these areas, you need to set up some concrete IT security controls that an auditor can oversee.
Example of an ISAE 3402 audit
In the example below you can see how an audit can be conducted for ‘asset management’ and ‘system development’, as well as the control activities that can be performed to ensure that appropriate security measures are implemented and effective in the organisation.
In the last column you can see examples of tests that can be performed by the auditor to verify that the control activities are implemented correctly in the organisation.
ISAE 3402 Topic |
Control activity |
Test |
Asset Management |
Securing the development environment: Example: The organisation must establish and protect secure development environments for system development and integration that cover the entire system development lifecycle. |
Examples We conducted interviews with relevant employees at the company. We found that the service provider uses a project management system for system development. |
Acquiring, developing and maintaining systems |
Information security policy for suppliers Example: Information security requirements to reduce risks associated with supplier access to the organisation's assets must be agreed with the supplier and documented. |
Examples: We have interviewed relevant employees at the company. |
Do you want to see an example of a final ISAE 3402 declaration? Then you can find our for reference here.
Evidence
To fulfil the requirements set by the auditor, it's important to document that you actually comply with the control. This requires ongoing documentation that the auditor can use as a basis for approving the control. A lack of sufficient evidence can result in a remark in the auditor's report.
How do you get an ISAE 3402 certification?
The process of obtaining an ISAE 3402 declaration starts with a gap analysis, where you identify your organisation's existing controls and assess them against the requirements for an ISAE 3402 declaration. Any gaps or weaknesses are identified so that improvements can be made to the security controls.
Once you have the controls in place, you may want to start by getting an ISAE 3402 type 1 declaration. You can later consider getting a type 2 declaration when the controls have been operational over time, for example after a year. You can read more about the differences between ISAE type 1 and type 2 declarations here.
It is normal to renew your declaration annually, so your organisation should have a process to continuously evaluate and improve the controls. Typically, there will be a set audit date and it is important to set aside time before then to validate that all controls have been performed correctly. However, it is recommended to carry out the actual checks throughout the year. This way you avoid being in a pressurised situation a few days before the deadline where both execution and validation have to be done at the same time.
.legal's ISAE 3402 type 2 declarationYou can read about how we got our ISAE 3402 type 2 declaration done right here. In this one, we also share our experience of getting an ISAE 3000 type 2 declaration done at the same time. |
Benefits for customers
The ISAE 3402 declaration provides transparency and assurance for you and your stakeholders, as a third party has validated that you meet the implemented controls.
The declaration confirms to the customer that you as a supplier have high standards for IT security and makes the customer's due diligence process easier. Customers can save time and money by using suppliers with an ISAE 3402 declaration, as they do not have to carry out the audit themselves.
Disadvantages of ISAE 3402
There are many advantages to having an ISAE 3402 statement, but the downside is that it requires a significant investment of time and resources to comply with the requirements and maintain the statement year after year.
The first audit typically requires extensive documentation and collaboration between multiple departments within the organisation, which can be time consuming. For smaller organisations, cost can be a challenge and you should weigh up whether it creates enough value for the cost.
However, there are IT audit tools that can be used to guide and streamline the process significantly.
Conclusion
With an ISAE 3402 statement, an auditor has declared that they have overseen a company's IT security and found that the company has an appropriate level of security. An ISAE 3402 statement is therefore strong evidence of a company's commitment to maintaining the highest standards of IT security and risk management, while providing customers, partners and other potential stakeholders with the necessary confidence that the company's systems are secure and reliable.
Frequently Asked Questions About ISAE 3402
What is ISAE 3402?
ISAE 3402 is an international standard for assurance reports on controls at service organisations. It provides assurance that a service organisation has implemented appropriate controls for IT security and operational processes that may affect user entities' financial reporting.
Who can perform an ISAE 3402 audit?
Only an independent auditor can perform an ISAE 3402 assurance engagement. During the audit, they must review the company's controls and processes to certify that they are adequate and effective.
What's the difference between ISAE 3402 Type 1 and Type 2?
A Type 1 report describes the service organisation's controls at a specific point in time, while a Type 2 report also tests the operating effectiveness of those controls over a period (typically 12 months).
Read more about the differences between ISAE type 1 and type 2 declarations
How often should an ISAE 3402 certification be renewed?
It's normal to renew your ISAE 3402 declaration annually to maintain credibility and demonstrate ongoing compliance with control requirements.
What does an ISAE 3402 audit cost?
Costs vary depending on the organisation's size and complexity. For smaller organisations, cost can be a challenge, and you should weigh up whether it creates sufficient value relative to the investment.
What's the difference between ISAE 3402 and SOC 2?
ISAE 3402 is the international standard, while SOC 2 is the US equivalent. Both provide assurance on service organisation controls, but ISAE 3402 follows international auditing standards and is more widely recognised globally.
What controls does ISAE 3402 cover?
ISAE 3402 can cover various control areas based on frameworks like ISO 27001, including information security policies, access management, physical security, vendor relationships, and incident management.
Read more about ISO 27001 compliance
Can .legal help with ISAE 3402 compliance?
Yes, .legal's Framework module can help manage and document ISAE 3402 processes alongside other compliance frameworks like ISAE 3000 and ISO 27001.
Learn more about .legal Frameworks
Where can I see an example ISAE 3402 report?
You can view .legal's own ISAE 3402 certification here as a reference example of how a completed declaration appears.
Find a ISAE 3402 example here
What happens if my organisation doesn't get ISAE 3402?
Without an ISAE 3402 declaration, potential customers may have difficulty trusting your IT security posture, and they may require extensive due diligence processes, which can cost time and business opportunities.

.legal compliance platform Handle your declarations smarter


.jpg)


.jpeg)

.jpg)
.jpg)



.jpg)

-1.png)



.jpeg)








.jpg)


Info
.legal A/S
hello@dotlegal.com
+45 7027 0127
VAT-no: DK40888888
Support
support@dotlegal.com
+45 7027 0127
Need help?
Let me help you get started

+45 7027 0127 and I'll get you started
.legal is not a law firm and is therefore not under the supervision of the Bar Council.