What are the differences between ISAE 3402 and ISO 27001? ISO 27001 is a security standard that includes guidelines for the information protection of an organization. On the other hand, ISAE 3402 is an audit standard to report on outsourced activities.

An ISO 27001 certification has limited value for an auditor. It also lacks a type of testing framework that the ISAE 3402 does have. The ISAE 3402 standard allows for more freedom of style than ISO27001, as it only provides guidelines and a general testing framework that includes all activities affecting the annual accounts of the user organization. ISO 27001 has more specific requirements, such as the physical security of an organization or complexity demands for passwords.

An ISO 27001 audit will eventually lead to a certificate, while an ISAE 3402 report will be provided with a Service Organization Control report. Often, the costs for an ISO 27001 certification are below the costs of an ISAE 3402 certification. This is caused by the fact that an ISAE 3402 audit is generally more detailed and that the type II report is done over a period of six months. 

ISO 27001 or ISAE 3402?

The ISO 27001 audit is in fact completely covered by the ISAE 3402, as ISAE 3402 takes into account information protection and IT. This should make the decision between ISO 27001 and ISAE 3402 less exclusive. However, it is important to note that ISAE 3402 only concerns outsourcing activities. Activities that the firm performs itself are outside of the scope. The main difference is that ISO 27001 does not have a testing framework and is of limited value to external accountants. An advantage of ISO 27001 over ISAE 3402 is that it does have detailed requirements. The lack hereof in the ISAE 3402 standard makes the quality of an ISAE 3402 report dependent on the person making it and the one controlling it.