What is ISAE 3000?

Introduction

The ISAE 3000 statement has become an important tool for organisations that want to demonstrate compliance with GDPR. In short, an ISAE 3000 statement is an external auditor's confirmation that a company's controls for a compliance area are both designed correctly and functioning properly, which therefore builds trust for the company's customers and business partners.

ISAE 3000 certification

ISAE 3000 is a general standard on how auditors should audit a non-financial compliance area. The statement sets a standard for how auditors should plan, perform and report their work in assurance engagements for non-financial subject areas, which could be monitoring a company's compliance with a sustainability standard such as ESG or compliance with GDPR regulations.

The ISAE 3000 standard provides guidelines for auditors on ethics, planning, risk assessment, obtaining evidence and documentation, as well as how the report should be prepared by an auditor.

An auditor can organise and perform their own audit of a given topic as long as it is done in accordance with the requirements of the ISAE 3000 standard and can therefore also be used for topics other than GDPR, which is why it must be adapted to the specific topic.

The audit statement can be prepared by authorised auditors and cannot be used by others, such as consultants; at .legal A/S, for example, we have used the auditing firm BDO to supervise our GDPR compliance. Read about how we achieved our ISAE3000 certification here.

The ISAE statement can be made as a type 1 and type 2 statement.

ISAE Type 1 and 2 certifications

A Type 1 declaration provides assurance that a company's controls are appropriately designed and implemented at the time of the audit. For example, if your organisation has a process to protect customer data, a Type 1 statement can confirm that the process is designed appropriately.

A type 2 statement shows that not only are the internal controls designed appropriately, but they are also operating in practice throughout the audit period, providing additional confidence that the organisation is maintaining the level of security during the period.

Is it a GDPR certification?

Although ISAE 3000 is not a specific GDPR certification, it can be used to document GDPR compliance. The declaration can show that a data processor complies with GDPR regulations by having appropriate controls and security measures in place.

FSR - Danish Auditors and the Danish Data Protection Agency have, for example, collaborated to develop templates for use in GDPR compliance declarations. These templates are built on the ISAE 3000 declaration and the purpose of the templates is to ensure that all relevant topics are covered in the declaration and that they therefore fulfil the requirements of both the Danish Data Protection Agency and the general audit requirements. That's why you often see the ISAE 3000 statement used by Danish organisations to demonstrate GDPR compliance.

Why require an ISAE 3000 declaration?

Data controllers who use data processors must ensure that the data processor processes personal data in accordance with the data processing agreement. 

This is a requirement of the GDPR regulations. 

An ISAE 3000 declaration of a data processor's GDPR compliance is a reliable signal to the data controller that the data processor is processing personal data securely. In addition, the declaration also means less work for the data controller, as it does not have to check the data processor's processes to the same level, and it provides greater assurance that personal data is processed responsibly.

The ISAE 3000 declaration thus makes it easier for the data controller to perform its due diligence of the data processor before starting the collaboration and entrusting the processing of personal data to the data processor. 

A data processor can also make the ongoing monitoring work easier for the data controller by regularly renewing this ISAE 3000 declaration. This is because the data controller must always ensure that the processing is carried out securely by the data processor. A data processor's renewal of the ISAE 3000 declaration therefore provides ongoing resource savings for the data controller, who can simply check that the declaration is still valid.

However, it must always be ensured by the data controller that the declaration is made in relation to the actual data processing that the data controller has entrusted to the data processor and not another processing operation. You can check if the statement is fit for purpose as this should be described at the beginning of the statement.

In short, an ISAE 3000 declaration saves time and resources for both the data processor and the data controller by providing confidence through this external control.

Should everyone make an ISAE 3000 declaration?

Data processors

For example, a data processor may be a software provider whose core business involves processing personal data on behalf of the customer. 

This is a requirement for many data controllers that data processors can demonstrate compliance with e.g. the GDPR rules via an ISAE 3000 declaration, which in this way becomes a competitive advantage. 

The alternative to having an ISAE 3000 declaration is that all controllers would have to monitor the compliance of the processor's processing practices themselves. This would be burdensome for the controller, but also for the processor, as it is complex and resource-intensive to handle the various audits from customers. 

So, all things being equal, it is best for all parties if the processor has an authorised third party carry out an audit.

Data controllers

It is not only relevant for data processors to get an ISAE 3000 declaration of the company's GDPR compliance. The data controller may also have an interest in signalling to its customers and other stakeholders that the GDPR rules are complied with. It sends a strong signal to the outside world that data protection is taken seriously and that the legislation is followed to the letter.

Content of the declaration

An ISAE 3000 declaration contains a description, the purpose and scope of the audit, a description of the internal controls to be checked by the IT auditor, and comments on the outcome of the audit.

Below is an example of topics and associated control activities that can be checked by an ISAE 3000 statement, a reference for the link to the GDPR regulations, and how an auditor can test these control activities.

Evidence

To fulfil the requirements set by the auditor, it's important to document that you actually comply with the control. This requires ongoing documentation that the auditor can use as a basis for approving the control. A lack of sufficient evidence can result in a qualification in the auditor's report.

You can see a completed ISAE 3000 statement including all the control activities and find descriptions of how these are tested in .legal A/S's latest ISAE 3000 statement.

Other certifications

The ISAE 3000 statement is used as a means of demonstrating GDPR compliance to company stakeholders, but there are other ways to do this as well. 

One recognised way to demonstrate that a company has an appropriate level of security is by obtaining ISO27001 certification. ISO27001 is an international standard that sets a lot of requirements for a company's information security. 

You can also get an ISAE 3402 declaration, which is in many ways similar to the GDPR declaration (ISAE 3000), but instead aims to oversee your organisation's information security like ISO27001. 

Summary: Benefits of an ISAE 3000 declaration 

If your organisation wants to demonstrate to customers, partners and other stakeholders that you are GDPR compliant, the ISAE 3000 declaration is one way to achieve this. It has the following benefits:

• Increases trust with customers and partners.
• Reduce the need for audits.
• Provides a competitive advantage.
• Improved internal controls and procedures.