Usage of ISAE and SOC standards in the provision of information security-related assurance services

In today’s business environment, organisations that provide business critical services often have to deal with information security issues. Understandably, the companies that use these services are concerned about security of their data or availability of the service. Service contracts concluded between the service provider and the client generally state the baseline for information security but sometimes it is not enough.

There are various ways for organisations to demonstrate their information security to their customers. The simplest way is to provide a formal statement to the customer or complete a questionnaire at regular intervals. An independent audit is also an option. This will give the customer assurance that the service provider meets the necessary information security requirements. In that case, the right to carry out an audit must be agreed in the service contract. One of the most common ways to prove the level of a service provider’s information security is the certification of the organisation's information security management system to the internationally recognized ISO 27001 standard.

There is also another way to provide assurance on organisation’s information security with the credibility of international standards – by using the International Standard on Assurance Engagements (ISAE) or the Service Organisation Controls (SOC). In ISAE or SOC engagement, an assessment is performed by an external auditor (for example, by KPMG). Based on the assessment, the auditor provides a formal, structured assurance report which can be shared with organisation’s customers and other interested parties within certain requirements.

Compared to ISO 27001 certification, reports prepared on the basis of ISAE and SOC provide a more comprehensive overview of the security measures implemented by service providers to protect the data of partners and customers.

SOC reports are mainly utilized by customers or partners operating in the US market who wish to be assured that their data is properly secured by the service provider. ISAE is more commonly used by companies based in the EU.

ISAE 3000

ISAE 3000 is used in information security assurance to provide assurance over non-financial information. Various subject matters ranging from sustainability or governance to information security can be assessed based on the standard. The criteria for the work are selected depending on the subject matter. In terms of information security, examples of the most typical inspection areas include technical security, availability, continuity and confidentiality.

ISAE 3000 recognizes two types of report:

  • Type 1 report provides assurance on design and implementation of controls on a certain date, and
  • Type 2 report provides assurance on design, implementation and continuous effectiveness of controls during certain period, usually one year.
For information security, the most common criteria used is TSC (2017 Trust Services Criteria) set forth by AICPA (American Institute of Certified Public Accountants) in 2017. The most important factor in selecting the criteria is its compliance with SOC 2 requirements, which are commonly used in the United States. The Trust Services Criteria also aligns well to most common other security frameworks (e.g. COSO).

Parties usually most interested in ISAE 3000 reports are the organisation’s existing and potential customers and business partners. Regulatory bodies may also be interested in ISAE 3000 reports in some cases.

ISAE 3402

If your organisation provides accounting or financial information services, then ISAE 3402, a standard for the assessment of organisations’ systems of internal controls, might be a more suitable standard. Control areas covered in ISAE 3402 engagements are usually related to financial controls such as payroll but can also be extended to cover information security in a limited manner.

Like ISAE 3000, ISAE 3402 also recognizes two types of reports, type 1 covering a certain date and type 2 covering a period of time.

The organisation’s customers and their financial auditors are usually the parties interested in ISAE 3402 reports.

SOC 1, SOC 2, SOC 3

There are some minor differences but SOC standard (Service Organisation Controls) is a US equivalent of ISAE applied in the EU. The overall setting of the engagement is the same in SOC and ISAE assurance engagements – external auditor performs an assessment and provides a report. The key difference is that the SOC engagement requires significant involvement of a US affiliated CPA. For European organisations, this usually means significantly higher costs.

If the criteria for a ISAE 3000 or 3402 engagement is selected correctly, the report will be a very close equivalent to SOC reports and can usually be a substitute for it. KPMG professionals have undertaken dozens of ISAE engagements and made dozens of reports for Finnish and Estonian clients. Many of them have utilized the report successfully with their US-based customers.

SOC 1 standard is a close equivalent of ISAE 3402 focusing of internal controls over financial information. SOC 2, like ISAE 3000, focuses on non-financial information. SOC 3 is a limited representation of the above two reports, meaning a condensed summary report of an assurance engagement for wider distribution, for example, via the organisation’s web page.

PHASES OF SERVICE 1

Pre-engagement information gathering

Before starting an assurance engagement, it is important to consider the organisation’s maturity level in terms of the subject matter. In the field of information security, the organisation should consider its processes and systems and identify shortcomings. If there is any uncertainty, the engagement can be started with a gap analysis to identify the key development areas before the actual assessment takes place in 3-6 months.
2

Planning

The assurance engagement starts with thorough planning. The scope and limitations for the engagement are defined, points of contact identified and deadlines agreed on. The planning phase usually takes a week or two.
3

Fieldwork

Planning activities are followed by fieldwork. Fieldwork includes several interviews and documentation reviews related to the subject matter. Fieldwork usually takes 2-8 weeks making it the most time consuming part of the engagement. It also requires a lot of involvement of the organisations’ employees.
4

Reporting

Once fieldwork is finished, the results are translated into an assurance report. It takes 2-4 weeks to draw up a report, including time spent on several quality assurance-related activities. Reporting requires some involvement of the organisation’s management but generally the organisation’s input is significantly smaller in this phase than during the fieldwork.

Advantages and limitations of ISAE

An assurance report is the key deliverable of an ISAE assurance engagement. The report covers a date or time period in the past that has been assessed by the external auditor. It is important to understand that the assurance engagement report does not contain any estimation of the future state of the subject matter or insight into it. Neither does it guarantee that no incident has been excluded from the report nor there have been no misstatements – this is simply not possible in information security. The key word as stated in every report is either ‘reasonable’ or ‘limited assurance’.

However, a thorough ISAE report drawn up by a reputable external auditor will provide a widely recognised and standardised way of showing organisation’s customers and business partners that the organisation pays sufficient attention to the subject matter.

ISAE assurance is also well aligned with ISO 27001 certification. KPMG, being an audit firm and an accredited ISO 27001-certification body, is in a unique position to offer the service. We can help you achieve your goals allowing you to meet your EU and US customers’ expectations alike with less work and decreased costs.


Provide a safe and sustainable business environment for your company! We will help you build a resilient and reliable digital world, even in the face of changing threats.

KPMG Baltics OÜ

+372 626 8700
itaudit@kpmg.ee
Ahtri 4, 10151 Tallinn, Estonia
${item.title}
KPMG Baltics KPMG Küberkaitse KPMG Global Privacy Policy
Oma veebilehel kasutame küpsiseid. Küpsised aitavad analüüsida veebiliiklust ning annavad meile statistilist teavet.
Email again:

HR assessment 

HR assessment focuses on mapping the skills and increasing the competencies of the weakest link in cyber security: the users, the employees.

Email again:

Threat assessment

Threat assessment is a tactical and technical service that allows a company to get a quick overview of external threats.

Email again:

Maturity assessment

Maturity assessment helps plan IT investments and design further steps to mitigate vulnerabilities and ensure better security.

Email again: