When your client requests ISAE 3402 or SOC compliance, it is important to understand that there is no such thing as a “generic” ISAE 3402 or SOC certificate or statement. The client has to be specific for which control(s) the ISAE 3402 or SOC statement is required.
ISAE 3402 is an assurance mechanism for suppliers, in the form of SOC (System and Organisation Controls). There are three kinds of SOC reports:
- SOC 1 report: provides assurance on finance related controls
- SOC 2 report: provides assurance on IT related controls
- SOC 3 report: a more generic version of SOC 2
SOC 2 and SOC 3 reports are based on five trust services criteria: security, availability, processing integrity, confidentiality and privacy.
Relation with ISO 27001
ISO 27001 focuses on the implementation of a management system for information security. The result of which is the implementation of a number of information security controls. During the audit, the controls are sampled, but the main objective is to establish that the management system is operative.
The main objective of ISAE 3402 and SOC is to provide assurance that one or more security controls are operative. During the audit, only these specific controls will be audited. While a Type I report provides just a snapshot, for a Type II it is required to have at least 6 months of evidence available.
Achieving ISO 27001 certification can serve as the basis for ISAE 3402 and SOC 2, as implementing it will make sure that all (relevant) procedures and policies are documented and validated.
- There is no such thing as a generic ISAE 3402 or SOC statement
- Always ask your client what controls he needs audited
- ISO 27001 can be the basis for ISAE 3402 or SOC
- The audit will take more time (and thus will be more expensive) than ISO 27001
- For a Type II report there needs to be at least evidence for 6 months (instead of 3 months for ISO 27001)