We sometimes help clients designing and implementing an information security system to be audited for use in an ISAE 3402 report.
The International Standards for Assurance Engagements (ISAE) No. 3402 and Service Organization Control (SOC) reporting (aka SAS 70, which was replaced by Statement on Standards for Attestation Engagements (SSAE) No. 16 in the US). ISAE 3402 was developed to provide an international assurance standard for allowing public accountants to issue a report for use by user organizations and their auditors (user auditors) on the controls at a service organization that are likely to impact or be a part of the user organization’s system of internal control over financial reporting.
There are two types of reports
A Type I report describes the service organization’s description of controls at a specific point in time (e.g. June 30, 2014). In a Type I report, the service auditor will express an opinion on
(1) whether the service organization’s description of its controls presents fairly, in all material respects, the relevant aspects of the service organization’s controls that had been placed in operation as of a specific date, and
(2) whether the controls were suitably designed to achieve specified control objectives.
A Type II report not only includes the service organization’s description of controls, but also includes detailed testing of the service organization’s controls over a minimum six month period (e.g. January 1, 2014 to June 30, 2014). In a Type II report, the service auditor will express an opinion on the same items noted above in a Type I report, and
(3) whether the controls that were tested were operating with sufficient effectiveness to provide reasonable, but not absolute, assurance that the control objectives were achieved during the period specified.
In summary ISAE 3402 reports are not comparable as it would be with an ISO 27001 certificate but as long as you take your time reading and understanding what the report covers they are useful. They can be great ways of getting you towards ISO 27001 and can act as a milestone in the overall ISO 27001 certification project plan. What is typically missing from ISAE 3402 before you are ready for ISO 27001 are things like risk assessment, Statement of Applicability, a number of controls, a process approach, continual improvement, internal audit and documentation control.