How does ISO 27001 vs ISAE 3402 look and is your customer asking you to have an ISAE 3402 report in place and how does that relate to ISO 27001?

We sometimes help clients designing and implementing an information security system to be audited for use in an ISAE 3402 report.

The International Standards for Assurance Engagements (ISAE) No. 3402 and Service Organization Control (SOC) reporting (aka SAS 70, which was replaced by Statement on Standards for Attestation Engagements (SSAE) No. 16 in the US). ISAE 3402 was developed to provide an international assurance standard for allowing public accountants to issue a report for use by user organizations and their auditors (user auditors) on the controls at a service organization that are likely to impact or be a part of the user organization’s system of internal control over financial reporting.

ISAE 3402 is an auditing standard to prepare a formal report on the design, implementation and operating effectiveness of the controls within a service organization (providing services to other user organizations).

There are two types of reports

Type 1:

A Type I report describes the service organization’s description of controls at a specific point in time (e.g. June 30, 2014). In a Type I report, the service auditor will express an opinion on

(1) whether the service organization’s description of its controls presents fairly, in all material respects, the relevant aspects of the service organization’s controls that had been placed in operation as of a specific date, and

(2) whether the controls were suitably designed to achieve specified control objectives.

Type 2:

A Type II report not only includes the service organization’s description of controls, but also includes detailed testing of the service organization’s controls over a minimum six month period (e.g. January 1, 2014 to June 30, 2014). In a Type II report, the service auditor will express an opinion on the same items noted above in a Type I report, and

(3) whether the controls that were tested were operating with sufficient effectiveness to provide reasonable, but not absolute, assurance that the control objectives were achieved during the period specified.

Unlike with ISO there is not an international “rule set” that governs these reports and hence one accountancy firm might apply different frameworks to another accountancy firm. However, with many of the reports we have seen the chosen control framework is ISO 27002. There are no specific requirements to the number of controls and hence this can vary from between 20 to 75 typically. One of the key areas that can sometimes be excluded is Business Continuity so I always advise clients to look carefully at the inclusions and exclusions when someone says they are ISAE 3402 audited.

In summary ISAE 3402 reports are not comparable as it would be with an ISO 27001 certificate but as long as you take your time reading and understanding what the report covers they are useful. They can be great ways of getting you towards ISO 27001 and can act as a milestone in the overall ISO 27001 certification project plan. What is typically missing from ISAE 3402 before you are ready for ISO 27001 are things like risk assessment, Statement of Applicability, a number of controls, a process approach, continual improvement, internal audit and documentation control.