ISAE 3402 OR ISO 27001

Organizations occasionally receive variations of the following questions from clients and prospective clients; what are the differences between an ISAE 3402 (SOC 1) or ISAE 3000(SOC 2) and an ISO 27001 audit? These organizations ask theirselves; which standard is more applicable to our company, ISAE or ISO 27001? What are the advantages and disadvantages of ISAE vs. ISO 27001? In fact ISAE 3402 and ISO 27001 are drastically different kinds of standards with equally dissonant use. The major differences are in the details, the form of reporting and the audit performed.

ISAE 3402 is an attestation from an independent certified accountant or firm that compares the System and Organization Controls (SOC) information against the audit objectives or criteria. In an ISAE 3402 report the IT general controls (ITGC’s) are included, but the primary scope are financial procedures and controls. An ISAE 3000 | SOC 2 report is focussed on the Trust Service Principles which include security, availability and privacy and has therefore more in common with ISO 27001. An important distinction is that ISAE 3402 | SOC 1 and ISAE 3000 | SOC 2 are reports and ISO27001 is a certification.

An ISAE 3000report is intended to report on the design (type I) and operation (type II) of the service organizations controls that mitigate risks based on the principles of security, availability, processing integrity, confidentiality and privacy. However in a ISAE 3000 (SOC 2), not all principles are required to be met, and SaaS providers can select the principle(s) that best meet their criteria (reporting objectives). In essence, there are no clearly defined rules or standards under ISAE 3402, and instead the provider is left to create their own security control and principles which are tested by the independent auditor.

ISO 27001 , on the other hand, is a risk based standard for establishing, implementing, and improving an organization’s security framework or ISMS. This standard security framework is maintained by information security professionals at the ISO and IEC. The implemented ISO 27001 framework is certified by independent certification bodies. The organization is required to have the procedures and controls described in Annex A of the ISO 27001 framework in place. The resulting security framework mitigates risks through the implementation of the procedures and controls. ISO 27001 is a complete system for assuring information security, and all organizations that implemented ISO 27001 should have at least a solid system for managing information security.

The world has changed. ISO 27001 has been the benchmark for information security, but with the information security risks continually evolving, many organizations require a greater level of assurance over information security. ISO 27001 is a single (rigid) set of controls, while ISAE 3402/3000 are principle based. This implies that the controls cannot be formally implemented, but not work effectively. An auditor will qualify the ISAE 3402 assurance opinion if this is the case. An ISAE 3402/3000 audit is an in-depth audit, focusing on the effectiveness of the risk framework in managing risks. If risks are not effectively managed, this will be exposed in the ISAE 3402 report. This level of transparence is required in the global economy and the continually evolving threat landscape.