Menu

Becoming ISAE Compliant: .legal's ISAE 3000 & 3402 process

In this article you can read how .legal works with ISAE compliance. And how we retrieved our certifications.

Louise blop

Introduction

At .legal, staying on top of our compliance with GDPR and IT security has always been a priority. In 2019, we raised the bar by securing ISAE 3000 Type 2 and ISAE 3402 Type 2 certifications.

For more about these certifications, feel free to read our detailed articles on ISAE 3000 and ISAE 3402. You can also access our latest certifications and final audit reports here.

In this article, we’ll take you through the journey we took at .legal A/S to achieve both ISAE 3000 and ISAE 3402 audits, the challenges we encountered, and how we turned those challenges into solutions that could simplify compliance for both ourselves and our clients.

Why We Chose ISAE 3000 and ISAE 3402 Certifications

We pursued ISAE 3000 and ISAE 3402 certifications for a few key reasons.

ISAE 3000 Type 2 is closely tied to GDPR compliance, something we've been committed to from the start. It demonstrates to our stakeholders that we not only meet legal data protection standards but also maintain strong internal processes to manage and protect personal data throughout the year-long audit period.

ISAE 3402 Type 2 is focused on IT security, and since our clients process their data through our platform, this certification reassures our clients that we have the most optimal processes in place to ensure that our IT infrastructure is secure throughout the audit period of a year.

While each certification has its own focus, they both overlap in areas like internal controls and risk management. Therefore, coordinating the two audits allowed us to use our resources more effectively.

Managing Multiple Audits

From 2019 until 2022, we went through separate audits for ISAE 3000 and ISAE 3402, but this turned out to be inefficient because many of the internal controls required for both overlapped. 

So, we decided to combine the audits the following year. This approach reduced duplicated effort, saved time, and minimised disruption across departments.

Getting an ISAE Statement

One of the toughest parts was organising the tasks while gathering the necessary evidence - from IT security procedures to data handling documentation - from IT security procedures to data handling documentation.

In the first year, it took a full-time employee - who also had other responsibilities meanwhile - about eight weeks to gather and organise all the necessary evidence, with input from various teams across the company.

“The first year was definitely the hardest. Collecting all the evidence felt overwhelming at times, especially because it was spread across different departments. It took a lot of coordination, but we learned a lot, which helped streamline things for the future,” said Louise Skou, Legal Assistant at .legal A/S

Even though we were already GDPR-compliant, ISAE 3000 demanded an even more rigorous documentation of our processes. For ISAE 3402, we added new measures, like monthly penetration tests, which we’d already been considering but hadn’t yet implemented.

The process has been very fruitful for us. Though it took time, it was a healthy exercise that gave us a much better overview of the business as a whole and created a structure that made it easier to handle our IT security and implement appropriate security measures.

Streamlining the Certification Process

One of the biggest lessons we learned was that the first year requires the most time and resources. The good news is that once everything is set up, maintaining compliance becomes much simpler in the following years. In addition, it becomes much easier to implement new security measures and practices.

Going forward, we estimate it will only take 15–20 hours per year for our compliance manager to handle the audit process, a fraction of the initial workload. This is thanks to automating many of the tasks involved in gathering and organising evidence.

During this process, we began developing an auditing tool that automates the compliance and audit processes for both ISAE 3000 and ISAE 3402. The tool assigns tasks, sends notifications, tracks compliance via a log, and allows team members to contribute throughout the year. This way, not all evidentiary tasks end up on one employee's desk right before the audit. This has centralised everything and eliminated the need for back-and-forth communication through email or chat.

“What used to take eight people from different departments is now much simpler. With our new processes and the audit tool, only four people - at most - need to be involved instead of the previous eight people, and everything is far more organised,” says Louise Skou, Legal Assistant at .legal A/S.

This tool has been a game-changer for us, and we believe it will make these types of audits more accessible for other organisations as well.

Guidance from IT Security Auditors

We didn’t do this alone. Our auditors provided invaluable guidance, especially focusing on which internal controls are most optimal to prioritise as a B2B SaaS company. Their advice not only helped us with ISAE 3000 and ISAE 3402 but also helped us identify the path forward for future certifications like ISO 27001.

For example, our auditors helped us enhance our security by recommending improvements like adjusting screen lock times and strengthening password policies, not just to pass the audit but to improve overall security. This was an easy and quick process, as all other tasks and evidence were already properly organised.

The Benefits of ISAE Certification

So, was it worth the effort? Absolutely.

“When we show clients our ISAE 3000 and 3402 certifications, it gives them immediate confidence. They see that we’re not just ticking boxes but have a proven system that protects their data and ensures our processes are solid,” says Brian Østberg, CEO of .legal A/S.

Achieving both ISAE 3000 and ISAE 3402 certifications has brought several clear benefits:

Client trust

Most of our clients operate in industries where data security is critical. These certifications give them peace of mind, as they no longer need to conduct their own audits of us, since an external auditor has already approved our practices, saving them time and money.

Improved processes

Preparing for the audits forced us to critically assess our internal controls and risk management. This resulted in workflows that are not only compliant but also more efficient and secure. As evidence is stored solely on the platform, there's no need to worry about deleting emails with evidence after the audit.

Documenting our procedures has become a valuable resource as training materials for onboarding new employees and fostering a culture of continuous improvement.

Enhanced security

The introduction of monthly penetration tests and other IT measures has already helped us identify and fix vulnerabilities, strengthening our overall security posture.

What’s Next

From our ISAE 3000 and ISAE 3402 journey, we developed an audit tool to simplify compliance and the audit process for others. With this tool, evidence collection becomes automated, reducing the need for back-and-forth communication and manual tasks. Team members can upload documents, track compliance, and communicate via the platform, making it easier to stay on top of things year-round.

“The beauty of it is that once it’s set up, the process repeats itself each year. You no longer need to send reminder emails to kickstart the audit process - everything is automated, and you just oversee the final approvals before sending them to the auditor,” says Brian Østberg, CEO of .legal A/S.

For many organisations, IT audits are a stressful, deadline-driven event, but with this audit tool, compliance becomes a seamless part of everyday operations.

Make it ISAE

Securing ISAE 3000 and ISAE 3402 Type 2 certifications was a challenging but rewarding process. It has pushed us to refine our internal systems and step up our security measures, while proving to our stakeholders that we are truly compliant.

The new audit tool is designed to help other companies achieve and maintain ISAE certifications more efficiently. If you’re considering going for ISAE 3000 or ISAE 3402 certification, be ready for some upfront effort, but with the right tools in place, it gets much easier over time.

declarationcoverOptimeret

.legal compliance platform Handle your declarations smarter

Curious to try it yourself? Get access to our Declarations add-on, and start handling your own declarations.
  • Gain a clear overview of your progress across multiple declarations like ISAE3402, ISAE3000, and ISO27001.
  • Track real-time updates on completed controls, so you always know how close you are to completion.
  • Avoid redundant work by reusing documentation across various declarations, reducing manual effort.
Learn more
Book a Demo
+290 large and small companies use .legal
Region Sjælland
Aarhus Universitet
Zwipe
aj_vaccines_logo
GJ
Realdania
Right People
IO Gates
PLO
Finans Danmark
geia-food
Vestforbrænding
Boligkontoret danmark
Evida
Klasselotteriet
NRGI1
BLUE WATER SHIPPING
Karnov
Ingvard Christensen
VP Securities
AH Industries
Energi Viborg
Lægeforeningen
InMobile
AK Nygart
ARP Hansen
DEIF
DMJX
arp-hansen-hotel-group-logo-1
Axel logo
qUINT Logo
KAUFMANN (1)
Footer topswirl

Info

.legal A/S

hello@dotlegal.com
+45 7027 0127

VAT-no: DK40888888

Support

support@dotlegal.com
+45 7027 0127
Need help?

status page badge

Platform status

Offices

Aarhus

Store Torv 14, 2.
8000 Aarhus C

Copenhagen

Vesterbrogade 26
1620 København V

Products

Let me help you get started

mads-i-blob
Reach out to me on phone
+45 7027 0127 and I'll get you started
arrow-right-white Get a demo

.legal is not a law firm and is therefore not under the supervision of the Bar Council.

Footer bottomswirl