Organisations are increasingly using outsourced services, including critical IT processes or security services. Although organisations like to keep a grip on these services and the processes underlying them, they are far from always directly controllable. The ISAE 3402 statement supports this. With the ISAE 3402 statement on outsourced processes and services, an organisation gains more insight into the quality, continuity, security and integrity of the organisation performing the service. In this way, the organisation buying the service has more certainty.
Need for insight on outsourced services
Organisations that outsource services are responsible for controlling them. Therefore, they often draw up a Service Level Agreement (SLA) or other contractual arrangement. In it, they lay down in detail what the service and organisation performing the service must meet. However, it often remains unclear whether these requirements are actually met.
With an ISAE 3402 Type I statement, an independent RA/AA auditor assesses the design and existence of control measures. These control measures are activities aimed at managing risks regarding the critical processes. This assessment should show whether there is reasonable assurance that the process or service can be delivered or accomplished according to the agreed requirements. In this way, the organisation performing the service provides the customer with insight into the policy, processes and control measures.
During the ISAE 3402 Type II audit, the actual function of control measures is also tested for a minimum period of six months. This involves the auditor assessing the implementation of the control measure. Thus, buyers of the outsourced services maintain assurance that the agreed requirements have been met or not.
ISAE 3402 reporting
An ISAE 3402 report is prepared to give the organisation buying the service greater insight into the organisation performing the service. A report includes the following items, among others:
- A description of the organisation and its context;
- The organisation’s risk management framework. The central question here is in what way the organisation is able to identify, analyse and manage service delivery risks;
- In what way business continuity, information security and integrity are secured in the organisation and how this is managed;
- Formulating management objectives for critical processes with respect to the services and setting up ‘control measures’;
- The audit results of the management measures. On this basis, it can be stated whether management objectives have been met.
The control measures are applied to processes that affect the quality, continuity, safety and integrity of the service. Here, there is a certain freedom in the formulation of the control measures. Unlike international standards, the report used for this purpose, the Service Organisation Control (SOC) report, is not tied to a fixed certification scheme.
As stated, there is some freedom in the construction of the control measures used for testing. For example, one company focuses on control measures related to security, while another prioritises business continuity and information security. Through the control measures, the control of the (outsourced) processes becomes testable. All measures together form a ‘control matrix’ that is used to check the quality of the outsourced service.
An ISAE 3402 report therefore creates more insight into the organisation performing the service. This also means more assurance for the organisation outsourcing the service.
Audit and declaration
An audit then provides a test of whether control measures are functioning, as stated in the ISAE 3402 report, and whether they are properly applied. The audit consists of a check on the policies and implementation of the policies that are circumscribed as control measures. Evidence is collected on the basis of defined samples.
An RE auditor assesses whether the services are controlled, this assessment covers the design and existence of control measures (Type I) and the actual implementation over a minimum period of six months (Type II). Based on the audit results, the auditor prepares a statement, which expresses an opinion on the extent to which the quality, continuity, security and integrity of the services are controlled. An organisation that performs a service for another company can thus demonstrate with a statement that the outsourced service is under control.
A real-life example: Trigion AlarmServiceCentrale
As consultants, we often come into contact with complex processes and outsourced services at our clients. Recently, a client of ours, Trigion ASC, chose to have an ISAE 3402 statement prepared. As an alarm and video surveillance centre, Trigion regularly receives questions about the management measures they take to ensure business continuity.
Trigion ASC already meets European standards in the fields of video surveillance and alarm centres, information security and business continuity. Among other things, this demonstrates that the ASC’s services meet high quality requirements. With the ISAE 3402 type II statement, Trigion ASC provides clients with more insight into the way in which they implement management measures. These measures go beyond the European standards and are therefore of great value to Trigion ASC’s services.
In 2019, Protify supported the alarm and video surveillance centre in setting up the risk management system. Based on process analyses and risk assessments, the risks of Trigion ASC’s services were identified and evaluated. The results of the risk assessment were then used to establish management objectives to protect the service, from which specific management measures were designed and implemented.
On 10 July 2019, Trigion ASC already received the ISAE 3402Type I statement in which Conclude’s external auditor assessed the design of the control measures as adequate. After a period of audits, Trigion received the ISAE 3402 Type II statement from Conclude on 21 January 2020. During this audit, the implementation of the control measures over a period of six months was assessed as positive.
Contact
Has your organisation outsourced important services and is unclear whether the agreed requirements are actually being met? Or do you, as an organisation, want to demonstrate that you can meet the requirements of the organisation buying the service? Feel free to contact us for a no-obligation discussion.