Get notified when there's news

Want to stay up-to-date? Sign up for our infoupdate. You'll be notified directly when we publish new content that's relevant to you.

I accept


The declarations are international and also serve as documentation for customers and business partners abroad.

ISAE 3000 and ISAE 3402 - the most common statements

There are several types of IT auditor statements that are used for different purposes and businesses. They can also cover different time periods.

What the declarations have in common, however, is that they are international declaration standards. Therefore, they also serve as documentation for customers and business partners abroad.

Two of the most common IT auditor statements are:

  • ISAE 3000 - Data Processor Declaration
  • ISAE 3402 - General IT controls

ISAE 3000 - Data Processor Declaration

As auditors, we speak with a high degree of certainty about the technical and organizational security measures you as data processors have put in place to protect the data you handle on behalf of your customers.

ISAE 3402 - General IT controls

We provide this statement if your company is an IT service provider - this could be hosting, operating an IT function, storing data for customers or providing Software as a Service (SaaS). An ISAE 3402 statement provides a picture of the overall state of your information security management and ranges widely - from the IT-related business processes that can affect financial reporting to the physical location of your servers. The starting point for our work is ISO 27001, the international management standard for information security.

A snapshot (type 1) or a period statement (type 2)

The statements are prepared as either a snapshot (type 1) or a period statement (type 2).

A snapshot: This statement is about how your controls are designed and implemented. As IT auditors, we perform a series of procedures to obtain reasonable assurance about whether your description of the services and controls is fairly stated in all material respects and whether the controls are suitably designed in all material respects.

Periodic assurance: This assurance is about your design, implementation and effectiveness of described controls for a specific period, typically 12 months. Again, as IT auditors, we perform a number of procedures to obtain reasonable assurance about whether your descriptions of services and controls are fairly stated in all material respects. We also verify whether the controls are appropriately designed and whether the controls have operated effectively in all material respects during the period.

Read more about IT auditor statements:

Want to know more?

Deciding whether to get one or the other statement can be complex, and there are also several factors that come into play. Therefore, we recommend that you seek advice and guidance before making a decision on whether or not to get an IT auditor's report.

If you want to know more about the different types of declarations, what they require and how they can improve safety and quality in your business, contact us for a no-obligation sparring session. 

Employees
140
Customers
3900
Turnover
+150 million
Year of establishment
1986
Growth per year.
10 %
Our services

Shortcuts