What is a ISAE 3402?

Learn the basics of the ISAE 3402, such as how an audit takes places and how you get the certification.

Introduction

The ISAE 3402 statement sends a positive signal to potential customers interested in outsourcing parts of their business processes, IT services or personal data management, as it demonstrates that appropriate security measures have been implemented.

How is an ISAE 3402 declaration made?

You can choose to have the ISAE 3402 declaration of IT security for a specific business area. For example, a software company that performs a specific data processing on behalf of its customers can create a statement for this specific processing.

Therefore, an assurance report starts by defining the business area being audited and the control objectives that need to be checked at the organisation to ensure that IT security is appropriate.

Only an independent auditor can perform the assurance, and during the audit they must review the company's controls and processes to ‘certify’ that they are adequate.

Content of the declaration

The ISAE 3402 statement is used to control IT security, so you can use the ISO27001 standard as a starting point for defining your control objectives, which could be worded as follows:

Information security policies
Organisation of information security
Human resources security
Asset management
Access management
Cryptography
Physical and environmental security
Operational security
Communication security
Systems acquisition, development and maintenance
Vendor relationships
Information security incident management
Compliance

For each of these areas, you need to set up some concrete IT security controls that an auditor can oversee.

Example of an audit

In the example below you can see how an audit can be conducted for ‘asset management’ and ‘system development’, as well as the control activities that can be performed to ensure that appropriate security measures are implemented and effective in the organisation.

In the last column you can see examples of tests that can be performed by the auditor to verify that the control activities are implemented correctly in the organisation.

Topic

Control activity

Test

Asset Management

Securing the development environment:

Example: The organisation must establish and protect secure development environments for system development and integration that cover the entire system development lifecycle.

Examples

We conducted interviews with relevant employees at the company.

We found that the service provider uses a project management system for system development.

Acquiring, developing and maintaining systems

Information security policy for suppliers

Example:

Information security requirements to reduce risks associated with supplier access to the organisation's assets must be agreed with the supplier and documented.

Examples:

We have interviewed relevant employees at the company.

We have reviewed the service provider's supplier security procedure and observed that a declaration in accordance with the service provider's security policy must be signed when entering into supplier agreements. We have reviewed the template for the declaration.

Upon enquiry, we have been informed that no agreements have been signed with suppliers during the declaration period. It has therefore not been possible to test the implementation of the procedure.

We have found that the service provider has obtained and reviewed the SOC 2 report from Microsoft regarding their compliance with the security requirements.

Do you want to see an example of a final ISAE 3402 declaration? Then you can find our for reference here.

Evidence

To fulfil the requirements set by the auditor, it's important to document that you actually comply with the control. This requires ongoing documentation that the auditor can use as a basis for approving the control. A lack of sufficient evidence can result in a remark in the auditor's report.

How do you get an ISAE 3402 certification?

The process of obtaining an ISAE 3402 declaration starts with a gap analysis, where you identify your organisation's existing controls and assess them against the requirements for an ISAE 3402 declaration. Any gaps or weaknesses are identified so that improvements can be made to the security controls.

Once you have the controls in place, you may want to start by getting an ISAE 3402 type 1 declaration. You can later consider getting a type 2 declaration when the controls have been operational over time, for example after a year. You can read more about the differences between ISAE type 1 and type 2 declarations here.

It is normal to renew your declaration annually, so your organisation should have a process to continuously evaluate and improve the controls. Typically, there will be a set audit date and it is important to set aside time before then to validate that all controls have been performed correctly. However, it is recommended to carry out the actual checks throughout the year. This way you avoid being in a pressurised situation a few days before the deadline where both execution and validation have to be done at the same time.

.legal's ISAE 3402 type 2 declaration

You can read about how we got our ISAE 3402 type 2 declaration done right here. In this one, we also share our experience of getting an ISAE 3000 type 2 declaration done at the same time.

Benefits for customers

The ISAE 3402 declaration provides transparency and assurance for you and your stakeholders, as a third party has validated that you meet the implemented controls.

The declaration confirms to the customer that you as a supplier have high standards for IT security and makes the customer's due diligence process easier. Customers can save time and money by using suppliers with an ISAE 3402 declaration, as they do not have to carry out the audit themselves.

Disadvantages of ISAE 3402

There are many advantages to having an ISAE 3402 statement, but the downside is that it requires a significant investment of time and resources to comply with the requirements and maintain the statement year after year.

The first audit typically requires extensive documentation and collaboration between multiple departments within the organisation, which can be time consuming. For smaller organisations, cost can be a challenge and you should weigh up whether it creates enough value for the cost.

However, there are IT audit tools that can be used to guide and streamline the process significantly.

Conclusion

With an ISAE 3402 statement, an auditor has declared that they have overseen a company's IT security and found that the company has an appropriate level of security. An ISAE 3402 statement is therefore strong evidence of a company's commitment to maintaining the highest standards of IT security and risk management, while providing customers, partners and other potential stakeholders with the necessary confidence that the company's systems are secure and reliable.

.legal compliance platform Handle your declarations smarter

Curious to try it yourself? Get access to our Declarations add-on, and start handling your own declarations.

Gain a clear overview of your progress across multiple declarations like ISAE3402, ISAE3000, and ISO27001.
Track real-time updates on completed controls, so you always know how close you are to completion.
Avoid redundant work by reusing documentation across various declarations, reducing manual effort.