An ISAE 3402 report provides assurance to a third party (e.g. a client) that certain controls are operative.
The relevant controls to be audited will be defined by the organization itself, taking in consideration the requirements of its clients. It makes sense to use a recognized baseline, such as ISO 27001 Annex A or Trust Services Criteria (TSC 100).
Type 1 or type 2?
There are two kinds of ISAE 3402 reports:
- Type 1: snapshot only
- Type 2: based on evidence of the past 6 months
Relationship to ISO 27001
While ISO 27001 focuses on the implementation of a management system for information security, the main objective of ISAE 3402 is to provide assurance that the controls are operative.
Instant 27001 can serve as the basis for ISAE 3402, as implementing ISO 27001 will make sure that all relevant controls are selected and implemented.