Skip to main content
For an ISAE3000 certification or better; an ISAE 3402 assurance opinion on the trust service criteria, a Service Organization Control report is required. This report should be audited by an external auditor. The auditor issues an ISAE 3000 type I or ISAE 3000 type II assurance report with the SOC. This report should be prepared in accordance with the Trust Service Criteria. All controls are required to be included and should be auditable. Generally this requires more registration of controls and more discipline to work in accordance with these controls
As a consequence of the increased IT outsourcing. Many organizations focus on core activities and outsource non-core processes. As a consequence of decreased trust among parties the demand for security and control over security risks increases.
An ISAE3000-report will be audited by an external auditor. The reporting should be prepared in accordance with the trust service criteria and audit regulations (the ISA's). If the responsible co-workers have an audit background this might help in the process of preparation of an ISAE 3000 SOC 2. Specialized organizations can support you with the preparation of the report, readiness assessment and management of the audit proces.
Professional user organizations (corporates) generally require these from their service providers. If processes are insourced to your enterprise and these processes are crucial for their business an ISAE 3000 report will be appropriate. Other organizations under supervision of for example the SEC or FSA should be able to demonstrate that security is under control by service organizations.
ISAE3000 and the trust service criteria are international standards and guideliness for security. In (international) tenders an ISAE3000 SOC 2 certification will probably be required in IT outsourcing situations. Another advantage is that your internal processes will be better alligned to your IT and security risks and better formalized
Thisis an example of the European practice. In principal ISAE3000 requires that sample sizes are in line with the reduction of risk to a reasonable level. In the PCAOB-guidelines a sample size of 25 is required for daily controls. Detailled guideliness for sample size are not included in the ISAE3000-standard.
This is a semantic discussion. Strictly a ISAE3402 report is not a certification. It is a Service organization control report with an assurance report in accordance with ISAE3000. Generally, in the market sometime is referred to an ISAE3000 SOC2-certification.