What is the ISAE 3402 Type II?
The ISAE 3402 Type II is an annual statement concerned with security in relations to technology and processes. The annual statement is a common requirement from the financial industry and public sector to verify that vendors are following best practice within areas like physical access, operation, business procedures, disaster recovery, etc.
An organizational task
Anders Thingholm, CISO at CLOUDEON, describes the statement as “a proof of good organizational hygiene”, and describes the task of being compliant and adhering to best practices is an organizational task with many crucial stakeholders. From HR, over IT-operations, to sales, each department carries an organizational responsibility of staying on top of best practices and implementing them.
Staying on top
CLOUDEON first acquired the ISAE 3402 in 2017 and have since then been working diligently on maintaining and improving the security standards in accordance with the stated practices.
Focusing on continuously being accredited the ISAE 3402 statement is good custom and an obvious choice for any company handling data on a large scale. The Danish Ministry of Education describes
the standard as follows:
“The standard sets the framework for how the service provider’s auditor must perform his work and make statements, including how the auditor achieves a high degree of certainty in relation to the supplier’s description of his system being true, that the vendor’s controls are appropriately designed and that the controls have been effective. There must be consistency between the audit’s audited by the auditor and the purpose of the controls (control objectives), including the risks that the controls seek to address”.
The majority of the ISAE 3402 can be mapped to different ISO27001 Control sets, making ISAE 3402 a subset of the larger ISO 27001 framework, which is regarded as an overarching industry best standard regarding security, compliance and business procedures.